Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rage.exe

Overview

General Information

Sample name:Rage.exe
Analysis ID:1577494
MD5:ca817109712a3e97bf8026cdc810743d
SHA1:961478cdfe1976d5cc30ceca7db9b3552b8aaf09
SHA256:6badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059
Tags:18521511316185215113209bulletproofexeGuLoaderuser-abus3reports
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found API chain indicative of sandbox detection
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Rage.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\Rage.exe" MD5: CA817109712A3E97BF8026CDC810743D)
    • AutoIt3.exe (PID: 6464 cmdline: "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x MD5: 0ADB9B817F1DF7807576C2D7068DD931)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Rage.exeAvira: detected
Source: Rage.exeReversingLabs: Detection: 52%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
Source: Rage.exeJoe Sandbox ML: detected
Source: Rage.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Rage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_00406245 FindFirstFileA,FindClose,0_2_00406245
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_0040570A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040570A
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00FCA0FA
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_00FBE387
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00FCA488
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC65F1 FindFirstFileW,FindNextFileW,FindClose,2_2_00FC65F1
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F8C642 FindFirstFileExW,2_2_00F8C642
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_00FC72E9
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC7248 FindFirstFileW,FindClose,2_2_00FC7248
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC7247 FindFirstFileW,2_2_00FC7247
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00FBD836
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00FBDB69
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00FC9F9F
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,2_2_00FCD7A1
Source: AutoIt3.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AutoIt3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: AutoIt3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AutoIt3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: AutoIt3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Rage.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Rage.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: AutoIt3.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: AutoIt3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: AutoIt3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AutoIt3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: AutoIt3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: AutoIt3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.2.drString found in binary or memory: http://upx.sf.net
Source: AutoIt3.exe, 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmp, AutoIt3.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: AutoIt3.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: AutoIt3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004051A7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051A7
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00FCF6C7
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,2_2_00FCF45C
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,2_2_00FBA54A
Source: AutoIt3.exe, 00000002.00000003.2116780007.00000000036EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_faacf2d6-5
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FE9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00FE9ED5
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC4678: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,2_2_00FC4678
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00FB1A91
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004031CE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031CE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00FBF122
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004049E60_2_004049E6
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F6E0BE2_2_00F6E0BE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F780372_2_00F78037
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F720072_2_00F72007
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F5E1A02_2_00F5E1A0
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F722C22_2_00F722C2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F8A28E2_2_00F8A28E
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F5225D2_2_00F5225D
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F6C59E2_2_00F6C59E
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FDC7A32_2_00FDC7A3
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F8E89F2_2_00F8E89F
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC291A2_2_00FC291A
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F86AFB2_2_00F86AFB
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB8B272_2_00FB8B27
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F7CE302_2_00F7CE30
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FE51D22_2_00FE51D2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F871692_2_00F87169
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F592402_2_00F59240
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F594992_2_00F59499
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F717242_2_00F71724
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F71A962_2_00F71A96
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F77BAB2_2_00F77BAB
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F59B602_2_00F59B60
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F77DDA2_2_00F77DDA
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F71D402_2_00F71D40
Source: Joe Sandbox ViewDropped File: C:\ProgramData\wvtynvwe\AutoIt3.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: String function: 00F6FD60 appears 40 times
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: String function: 00F70DC0 appears 46 times
Source: Rage.exe, 00000000.00000002.2068809575.00000000009FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs Rage.exe
Source: Rage.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal68.evad.winEXE@4/6@0/0
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC410F GetLastError,FormatMessageW,2_2_00FC410F
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004031CE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031CE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB194F AdjustTokenPrivileges,CloseHandle,2_2_00FB194F
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00FB1F53
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_00404473 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404473
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FDAFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,2_2_00FDAFDB
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,0_2_004020CB
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC3923 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,2_2_00FC3923
Source: C:\Users\user\Desktop\Rage.exeFile created: C:\Users\user\AppData\Local\Temp\nstE9BF.tmpJump to behavior
Source: Rage.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Rage.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Rage.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Rage.exeReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\Rage.exeFile read: C:\Users\user\Desktop\Rage.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Rage.exe "C:\Users\user\Desktop\Rage.exe"
Source: C:\Users\user\Desktop\Rage.exeProcess created: C:\ProgramData\wvtynvwe\AutoIt3.exe "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
Source: C:\Users\user\Desktop\Rage.exeProcess created: C:\ProgramData\wvtynvwe\AutoIt3.exe "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3xJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: version.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: winmm.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: mpr.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: wininet.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: userenv.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: wldp.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: ntvdm64.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: textshaping.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Rage.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Rage.exeStatic file information: File size 1401522 > 1048576
Source: Rage.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F55D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00F55D78
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FA0332 push edi; ret 2_2_00FA0333
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F70E06 push ecx; ret 2_2_00F70E19
Source: C:\Users\user\Desktop\Rage.exeFile created: C:\ProgramData\wvtynvwe\AutoIt3.exeJump to dropped file
Source: C:\Users\user\Desktop\Rage.exeFile created: C:\ProgramData\wvtynvwe\AutoIt3.exeJump to dropped file
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FE25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00FE25A0
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F6FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00F6FC8A
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Rage.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_2-98970
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeAPI coverage: 3.6 %
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_00406245 FindFirstFileA,FindClose,0_2_00406245
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_0040570A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040570A
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00FCA0FA
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_00FBE387
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00FCA488
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC65F1 FindFirstFileW,FindNextFileW,FindClose,2_2_00FC65F1
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F8C642 FindFirstFileExW,2_2_00F8C642
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_00FC72E9
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC7248 FindFirstFileW,FindClose,2_2_00FC7248
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC7247 FindFirstFileW,2_2_00FC7247
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00FBD836
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00FBDB69
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FC9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00FC9F9F
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F55D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00F55D78
Source: Amcache.hve.2.drBinary or memory string: VMware
Source: Amcache.hve.2.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.2.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.drBinary or memory string: vmci.sys
Source: Amcache.hve.2.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.2.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.2.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.drBinary or memory string: VMware20,1
Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Rage.exeAPI call chain: ExitProcess graph end nodegraph_0-3316
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FCF3FF BlockInput,2_2_00FCF3FF
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F53312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00F53312
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F55D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,2_2_00F55D78
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F75078 mov eax, dword ptr fs:[00000030h]2_2_00F75078
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB2093 GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,2_2_00FB2093
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F829B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F829B2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F70BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F70BCF
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F70D65 SetUnhandledExceptionFilter,2_2_00F70D65
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F70FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00F70FB1
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,2_2_00FB1A91
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F53312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,2_2_00F53312
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBBB02 SendInput,keybd_event,2_2_00FBBB02
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FBEBE5 mouse_event,2_2_00FBEBE5
Source: C:\Users\user\Desktop\Rage.exeProcess created: C:\ProgramData\wvtynvwe\AutoIt3.exe "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3xJump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,2_2_00FB13F2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FB1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00FB1EF3
Source: AutoIt3.exe, 00000002.00000000.2067844068.0000000001013000.00000002.00000001.01000000.00000005.sdmp, AutoIt3.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: AutoIt3.exeBinary or memory string: Shell_TrayWnd
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F70A28 cpuid 2_2_00F70A28
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FAE59A GetLocalTime,2_2_00FAE59A
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FAE5F8 GetUserNameW,2_2_00FAE5F8
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00F8BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,2_2_00F8BCF2
Source: C:\Users\user\Desktop\Rage.exeCode function: 0_2_004031CE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031CE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.2.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.2.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.drBinary or memory string: MsMpEng.exe
Source: AutoIt3.exeBinary or memory string: WIN_81
Source: AutoIt3.exe, 00000002.00000003.2121422485.0000000001146000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XP
Source: AutoIt3.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AutoIt3.exeBinary or memory string: WIN_XPe
Source: AutoIt3.exeBinary or memory string: WIN_VISTA
Source: AutoIt3.exeBinary or memory string: WIN_7
Source: AutoIt3.exeBinary or memory string: WIN_8
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FD2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00FD2163
Source: C:\ProgramData\wvtynvwe\AutoIt3.exeCode function: 2_2_00FD1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00FD1B61
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts
1
Native API
2
Valid Accounts
2
Valid Accounts
2
Valid Accounts
31
Input Capture
2
System Time Discovery
Remote Services31
Input Capture
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
Exploitation for Privilege Escalation
1
Virtualization/Sandbox Evasion
LSASS Memory131
Security Software Discovery
Remote Desktop Protocol1
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
Access Token Manipulation
1
Disable or Modify Tools
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin Shares3
Clipboard Data
SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
Process Injection
21
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading
12
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials1
Account Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information
DCSync1
System Owner/User Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc Filesystem2
File and Directory Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow16
System Information Discovery
Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Rage.exe53%ReversingLabsWin32.Trojan.Privateloader
Rage.exe100%AviraHEUR/AGEN.1355636
Rage.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\ProgramData\wvtynvwe\AutoIt3.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.autoitscript.com/autoit3/JAutoIt3.exe, 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmp, AutoIt3.exe.0.drfalse
    high
    http://upx.sf.netAmcache.hve.2.drfalse
      high
      http://nsis.sf.net/NSIS_ErrorRage.exefalse
        high
        http://nsis.sf.net/NSIS_ErrorErrorRage.exefalse
          high
          https://www.autoitscript.com/autoit3/AutoIt3.exe.0.drfalse
            high
            No contacted IP infos
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1577494
            Start date and time:2024-12-18 14:18:58 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 3m 31s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Rage.exe
            Detection:MAL
            Classification:mal68.evad.winEXE@4/6@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 71
            • Number of non-executed functions: 311
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated
            • Exclude process from analysis (whitelisted): dllhost.exe
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: Rage.exe
            No simulations
            No context
            No context
            No context
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\ProgramData\wvtynvwe\AutoIt3.execopia111224mp.htaGet hashmaliciousUnknownBrowse
              FX6KTgnipP.exeGet hashmaliciousFormBookBrowse
                uhbrQkYNzx.exeGet hashmaliciousFormBookBrowse
                  qPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                    ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                      FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                        M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                          mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                            lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                              1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                Process:C:\ProgramData\wvtynvwe\AutoIt3.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):622080
                                Entropy (8bit):7.9997308156842095
                                Encrypted:true
                                SSDEEP:12288:VmDWsllXiXi1W6/qvdYO0q2OIaFdI0bYkqmYdGGWQYt:VmVlXiAO+nOIaHYdGac
                                MD5:DBF76F233EFEB642BDF11A19274F1024
                                SHA1:DE7704F63F2D59545348665A81CF8C04DCE3B5E4
                                SHA-256:268ADE4ED11213FAFAD41161A2A3465972269EF1132095E798FE1E59FF15054C
                                SHA-512:35A09918FDC969380D2F225F0FCE9944290D3B2F6443A8B9F0B0D3551B5F3AEDCA78BFBC53FA59596C28316D910E073A09E0855BDA16508DBBBEA8EE05E450F1
                                Malicious:false
                                Reputation:low
                                Preview:..l...~I...LJ..2....9N'...|.B0.q...../...k......N..1/.M S...GaU.x....+..2C..j..#7..W.(.j...";..J._%.....W...<)..u..t8.~L.+...2G[......x....9&.G..5.b..k./..7N...).?..Z....3.....Q...a.(`..._f-.n......A.7.5..;..[..;.gA.f../t.#b....%..O:....=.*..qu.EE......p...>Dym.5.....&..a..a....E........ p....Y*.....79.?.....u...S......H..Z.....=WGM..9...[U..u$H0.."pC.?.Y...U.*....I'.N._R,.fo5..:......Yr~...'.{2%......+.5..e.Z...Jmp.....Tz.vL.....k^ D..u.m!].wA......7....A..Hnq...f7..._...]r.......Oo..Q..T...Y.....7<H.....L..T...gajT.s{.}....P.>.A. ....J..7.E....m)(.$.w.;..~....B..7w2.....n..m.......c.......N..vi.k...2....U...7\...)Q.6..O.....Y..$......Wk.a...os.f....i..6.7.k.i..{x.....V!.....qC9e.~_..-..W..3<.Pt3..{......A....1m...N...+g.......5.b2........a.!...Tx.MJ ..>..V.....T.F.h.`..NN..{...x.8..|.(.~...>.$..I..].....X.....C.|..|m.s..xy.n..&.$`.x......mZ.7..c.....sLs<|8.p..=h.F.x[._^. 2W.2.?q)m.n.#.m...........1I..|..6m.IG3F`.>....m...<8.?..@.{...
                                Process:C:\Users\user\Desktop\Rage.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):947288
                                Entropy (8bit):6.629681466265794
                                Encrypted:false
                                SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                MD5:0ADB9B817F1DF7807576C2D7068DD931
                                SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Joe Sandbox View:
                                • Filename: copia111224mp.hta, Detection: malicious, Browse
                                • Filename: FX6KTgnipP.exe, Detection: malicious, Browse
                                • Filename: uhbrQkYNzx.exe, Detection: malicious, Browse
                                • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                Reputation:moderate, very likely benign file
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                Process:C:\Users\user\Desktop\Rage.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):250864
                                Entropy (8bit):7.999388677232713
                                Encrypted:true
                                SSDEEP:6144:ZJF8chnNsqla1cCrZlnrfH59NHE28pqRXoYWHnTfE:7FfhnNq19ND7HE28sWdno
                                MD5:0F310D0DD203531155EDB3816D108F7B
                                SHA1:5BB3EED68D98FE1D6B58593A9F94DD836910141B
                                SHA-256:49EB3055447DB8CE038E572FF2A8B48234E14590064EFB9857BBF4779BCCBCC0
                                SHA-512:BE820A8350304B355253B854B911AC5ECD6A6A544D3F71FE1093316214BDF2DE40DE38E8910499733423983F61DE2C64E95FEF5099C0852A68AC7D08994954FB
                                Malicious:false
                                Reputation:low
                                Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..^,+.W.9>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g....{.q_.1N(...+.................."..O...."..OkC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.g@6.[..G...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. X....^+.B..=H.{.X......U...+...U+.......O....B).Om.......zx.5...x...(nU.j....06.f".].X.:..).....H.}....8....tX.....=.....`.'.....?...".i('.......y.}......}...u...h.C.]2.:.....fZ:..q....D..e...o........>l..Xs.....y@$..f.....c...+.n.j(...,jJ.k.;..........r.5.m}jc'l5V.o.^....H...u.h..[c...E].O..|...}..xf.u....X.J.n..%..K..C...o?4.._?......[9..~....W.N....[5o%....$..U.c.o...:6*.J.....aT....|*e.<N.4.U..0..".[....Z.A....:....:8.=...?M.....-....]..<....{)`..`..m#b`.E.g[_..?.A...`W..~x....%&>..q.....i.iz.z.5@^.j.%.-..86.Q7Gk...j..%..s.).(3.S.%}e..-..S'...}fE.nQJ.}...-..JZ
                                Process:C:\Users\user\Desktop\Rage.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):810
                                Entropy (8bit):7.7008570368813745
                                Encrypted:false
                                SSDEEP:24:MydjnKgYFhOZsLyFze7F9PxLsPtTuPagzj:MydzZGycDq5uyg
                                MD5:D05B9A6C0174AD4C6A05720C2D44501B
                                SHA1:CABE5CD3BD6EECA163D4C95C43CE5026BA277753
                                SHA-256:153F2D0E2960CA4D2308A6EC33DF33C5F05ACFA1D99445C75B9AE14539DB2232
                                SHA-512:BAA048D004408F0297CA9DDEBBD391211925EA6F166BFFCD77DB9932AF8717EC11E3963C41B7FCA8CF34961884CCC20B491268F3B22C92D59DD134E8DB0CE2C1
                                Malicious:false
                                Reputation:low
                                Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..^,+.W.9>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g....x.._.1N(...+...................].......]..kC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.g@6.[..G...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. *....^,.B..=H.{.X............6.......?.......!...m.....?...x.5...l.s.l......u.!..r..~....%....|........(...,..#..........`.]9....*.q;..@T.(<.....>.`.S.P@....uC !l..;..&.. ..7...0i.......x..}.U.-..X.L.j.c8|#.......j..3..........G|.~.hS.u$..Z.......6.w....hI..ent...]t..XD......<.....|......l..5.M...o.1Ur.......:.i....|*..ex.5.Xx..-.\._Nq.j.....*.!..W..!.s.H?....0I.F.kF...,.....AU3!EA06
                                Process:C:\Users\user\Desktop\Rage.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):622080
                                Entropy (8bit):7.999725875866043
                                Encrypted:true
                                SSDEEP:12288:DchkQgw6LFW6dEfmeW7ixERPvLYP7hNaWTZmarRsR4o60h/fKJmk8SP8:4hyblaf2iivi3a4c49yYP8
                                MD5:160F088E0C2CFC575144BAF3C6490757
                                SHA1:BA3B72EFA7AC73BC530B512103FC4F35B78B5D9D
                                SHA-256:0D65174F3D8E4D8BC12FAD4110930C1EB4E711285366CB68A703684B0325D5E3
                                SHA-512:AA1ACC4F9B8ADE2FA821607C09BC61B539551AD87F9CE2180A84FD80FBC8E48D7669DE35516A40D2609F9972A27816FBFBB983EFBE7E8EB8519913BB437CC468
                                Malicious:false
                                Reputation:low
                                Preview:..yxV.$E......v^T1..R.r.4cS...\~.....d......!c.`K$..71..I.%I@:...D.5m....g..........B.in;y:.....&...6$J..Wb..*v.<.XU.....P..*.....FH..kW}>|"..<s|f.......YO..'... ...l.q.}....U.b._...{C..=....^.~U......7iX.8.j!61.m^.K..H}.S.%u... |BeN>.t. ........%j...I..Ab..O)..r.-.K...l.e(..-+ Y.......:6........V....o..Y:.6...h6~0.1.S.......[zg...e...*r]...!.D.t.a.Ey\..&. ACy/D...n..6.M.n........~.u.^u.q4.$..s.N.r..q....... C.....|..0...V...4....H&<H.Iqrn.3P..%d....>...y..|ZL..B..P.I....../.....[.c..w.q.`k......~....(.bx.$$L.H..7N...?..hf........,.B...v.mI.0...0...mD......(_.GK..@*...C..G<"$..b. ..d.s.".-.1...;DG..7.t..@(.-.....I.Q$.%.(.2...X.P.N.3%...).|=.gb.n...K.;.3.f..2.L%......./..e..j1.5y.0.u..>F...K0.....}#&....o..=.u..v.TW.....g..^V...M.k.%]....C.K..g.q.9....G&...V..c...R..)..Pcry..n..<.:U...9Vy.(..O...J.5.&.Y.C.k..Ex...K..j!.i..&Y.....X.M.1...0l.3...:...`.v..b|..e... {|......J..y[l.....?.*.... .;6....5.2..E..x...{....9.U...q..3.
                                Process:C:\ProgramData\wvtynvwe\AutoIt3.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.418965682179825
                                Encrypted:false
                                SSDEEP:6144:qSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:ZvloTMW+EZMM6DFyn03w
                                MD5:FE5232270ED271122E34240B4A6786BB
                                SHA1:963FB2B58EEA9EEE98ADB548781F0BD612A94797
                                SHA-256:83885D8DD3BE14D90F15B38E767E5406A1F96B3099B5D913CF4DC6E7A877DD87
                                SHA-512:B8FE8B9F35DBF73E8F3EAF35B62064227E411707C08D343EBD6911B8FE6CD9580D0A4612B69C3AE189792BAD6BDDD77617D434F84CB3363E4BB1112690847871
                                Malicious:false
                                Reputation:low
                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^!.OQ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Entropy (8bit):7.995122468475881
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Rage.exe
                                File size:1'401'522 bytes
                                MD5:ca817109712a3e97bf8026cdc810743d
                                SHA1:961478cdfe1976d5cc30ceca7db9b3552b8aaf09
                                SHA256:6badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059
                                SHA512:de1c67f87a14f7f3c1416c253a117970974c82e87f94a3b176980edfef0164f2dd4621d81ca0cae95d794a2998e325137ce76ebccc5121ab005ca391efcbec3e
                                SSDEEP:24576:/cHSfhDMKnkUTgZGLvbPKqCRrLA3FcFfhk1Llhyblaf2iivi3a4c49yYPp:iSZYjUaQvbJQgFcoplMBu2/vvj4cep
                                TLSH:7A5533179D79F447CF504DBBC6B8633A5EC48AD8D8F9DB4B47C9D21278E1A27842C888
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L...^..Y.................b....9....
                                Icon Hash:3d2e0f95332b3399
                                Entrypoint:0x4031ce
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x597FCC5E [Tue Aug 1 00:33:34 2017 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:3abe302b6d9a1256e6a915429af4ffd2
                                Instruction
                                sub esp, 00000184h
                                push ebx
                                push esi
                                push edi
                                xor ebx, ebx
                                push 00008001h
                                mov dword ptr [esp+18h], ebx
                                mov dword ptr [esp+10h], 0040A198h
                                mov dword ptr [esp+20h], ebx
                                mov byte ptr [esp+14h], 00000020h
                                call dword ptr [004080A0h]
                                call dword ptr [0040809Ch]
                                and eax, BFFFFFFFh
                                cmp ax, 00000006h
                                mov dword ptr [007A2F4Ch], eax
                                je 00007F9D08AFF673h
                                push ebx
                                call 00007F9D08B0272Ah
                                cmp eax, ebx
                                je 00007F9D08AFF669h
                                push 00000C00h
                                call eax
                                mov esi, 00408298h
                                push esi
                                call 00007F9D08B026A6h
                                push esi
                                call dword ptr [00408098h]
                                lea esi, dword ptr [esi+eax+01h]
                                cmp byte ptr [esi], bl
                                jne 00007F9D08AFF64Dh
                                push 0000000Ah
                                call 00007F9D08B026FEh
                                push 00000008h
                                call 00007F9D08B026F7h
                                push 00000006h
                                mov dword ptr [007A2F44h], eax
                                call 00007F9D08B026EBh
                                cmp eax, ebx
                                je 00007F9D08AFF671h
                                push 0000001Eh
                                call eax
                                test eax, eax
                                je 00007F9D08AFF669h
                                or byte ptr [007A2F4Fh], 00000040h
                                push ebp
                                call dword ptr [00408044h]
                                push ebx
                                call dword ptr [00408288h]
                                mov dword ptr [007A3018h], eax
                                push ebx
                                lea eax, dword ptr [esp+38h]
                                push 00000160h
                                push eax
                                push ebx
                                push 0079E500h
                                call dword ptr [00408178h]
                                push 0040A188h
                                Programming Language:
                                • [EXP] VC++ 6.0 SP5 build 8804
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x84280xa0.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000xa50.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x602d0x62003185076a5a29defdf887b84542b0b282False0.6696827168367347data6.442241024363186IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x80000x12480x140034765c826af6bd742ec098b21c19a239False0.4287109375data5.0453837222906515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xa0000x3990580x400cef4e1d3e6f981154be7da00aaf384f5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .ndata0x3a40000x80000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x3ac0000xa500xc0052f3fab1bd39f34b7703451e89302346False0.4029947916666667data4.191234591104813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x3ac1900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                RT_DIALOG0x3ac4780x100dataEnglishUnited States0.5234375
                                RT_DIALOG0x3ac5780x11cdataEnglishUnited States0.6056338028169014
                                RT_DIALOG0x3ac6980x60dataEnglishUnited States0.7291666666666666
                                RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States1.2
                                RT_MANIFEST0x3ac7100x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384
                                DLLImport
                                KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance
                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States
                                No network behavior found

                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:0
                                Start time:08:19:50
                                Start date:18/12/2024
                                Path:C:\Users\user\Desktop\Rage.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Rage.exe"
                                Imagebase:0x400000
                                File size:1'401'522 bytes
                                MD5 hash:CA817109712A3E97BF8026CDC810743D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                Target ID:2
                                Start time:08:19:50
                                Start date:18/12/2024
                                Path:C:\ProgramData\wvtynvwe\AutoIt3.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
                                Imagebase:0xf50000
                                File size:947'288 bytes
                                MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                Reputation:moderate
                                Has exited:true

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:12.1%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:20.8%
                                  Total number of Nodes:1315
                                  Total number of Limit Nodes:17
                                  execution_graph 3517 4025c4 3526 402a9f 3517->3526 3519 40263c 3520 405b53 ReadFile 3522 4025ce 3520->3522 3521 40263e 3529 405ea0 wsprintfA 3521->3529 3522->3519 3522->3520 3522->3521 3523 40264e 3522->3523 3523->3519 3525 402664 SetFilePointer 3523->3525 3525->3519 3527 405f64 17 API calls 3526->3527 3528 402ab4 3527->3528 3528->3522 3529->3519 3530 4047c4 3531 4047f0 3530->3531 3532 4047d4 3530->3532 3534 404823 3531->3534 3535 4047f6 SHGetPathFromIDListA 3531->3535 3541 405642 GetDlgItemTextA 3532->3541 3537 40480d SendMessageA 3535->3537 3538 404806 3535->3538 3536 4047e1 SendMessageA 3536->3531 3537->3534 3539 40140b 2 API calls 3538->3539 3539->3537 3541->3536 3542 402245 3543 402ac1 17 API calls 3542->3543 3544 40224b 3543->3544 3545 402ac1 17 API calls 3544->3545 3546 402254 3545->3546 3547 402ac1 17 API calls 3546->3547 3548 40225d 3547->3548 3549 406245 2 API calls 3548->3549 3550 402266 3549->3550 3551 402277 lstrlenA lstrlenA 3550->3551 3556 40226a 3550->3556 3553 405069 24 API calls 3551->3553 3552 405069 24 API calls 3554 402272 3552->3554 3555 4022b3 SHFileOperationA 3553->3555 3555->3554 3555->3556 3556->3552 3557 4028c5 3558 402a9f 17 API calls 3557->3558 3559 4028cb 3558->3559 3560 402716 3559->3560 3561 402900 3559->3561 3563 4028dd 3559->3563 3561->3560 3562 405f64 17 API calls 3561->3562 3562->3560 3563->3560 3565 405ea0 wsprintfA 3563->3565 3565->3560 3566 401746 3567 402ac1 17 API calls 3566->3567 3568 40174d 3567->3568 3569 405b0a 2 API calls 3568->3569 3570 401754 3569->3570 3570->3570 3571 401947 3572 402ac1 17 API calls 3571->3572 3573 40194e lstrlenA 3572->3573 3574 402577 3573->3574 3575 4022c7 3576 4022ce 3575->3576 3579 4022e1 3575->3579 3577 405f64 17 API calls 3576->3577 3578 4022db 3577->3578 3580 40565e MessageBoxIndirectA 3578->3580 3580->3579 3584 4020cb 3585 402ac1 17 API calls 3584->3585 3586 4020d2 3585->3586 3587 402ac1 17 API calls 3586->3587 3588 4020dc 3587->3588 3589 402ac1 17 API calls 3588->3589 3590 4020e6 3589->3590 3591 402ac1 17 API calls 3590->3591 3592 4020f0 3591->3592 3593 402ac1 17 API calls 3592->3593 3594 4020fa 3593->3594 3595 40213c CoCreateInstance 3594->3595 3596 402ac1 17 API calls 3594->3596 3599 40215b 3595->3599 3601 402206 3595->3601 3596->3595 3597 401423 24 API calls 3598 40223c 3597->3598 3600 4021e6 MultiByteToWideChar 3599->3600 3599->3601 3600->3601 3601->3597 3601->3598 3602 40414c 3603 404162 3602->3603 3611 40426e 3602->3611 3633 404003 3603->3633 3604 4042dd 3606 4043a7 3604->3606 3607 4042e7 GetDlgItem 3604->3607 3645 40406a 3606->3645 3609 404365 3607->3609 3610 4042fd 3607->3610 3608 4041b8 3613 404003 18 API calls 3608->3613 3609->3606 3618 404377 3609->3618 3610->3609 3617 404323 SendMessageA LoadCursorA SetCursor 3610->3617 3611->3604 3611->3606 3612 4042b2 GetDlgItem SendMessageA 3611->3612 3638 404025 EnableWindow 3612->3638 3616 4041c5 CheckDlgButton 3613->3616 3636 404025 EnableWindow 3616->3636 3642 4043f0 3617->3642 3622 40437d SendMessageA 3618->3622 3623 40438e 3618->3623 3619 4042d8 3639 4043cc 3619->3639 3622->3623 3624 4043a2 3623->3624 3625 404394 SendMessageA 3623->3625 3625->3624 3627 4041e3 GetDlgItem 3637 404038 SendMessageA 3627->3637 3630 4041f9 SendMessageA 3631 404220 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3630->3631 3632 404217 GetSysColor 3630->3632 3631->3624 3632->3631 3634 405f64 17 API calls 3633->3634 3635 40400e SetDlgItemTextA 3634->3635 3635->3608 3636->3627 3637->3630 3638->3619 3640 4043da 3639->3640 3641 4043df SendMessageA 3639->3641 3640->3641 3641->3604 3659 405624 ShellExecuteExA 3642->3659 3644 404356 LoadCursorA SetCursor 3644->3609 3646 404082 GetWindowLongA 3645->3646 3656 40410b 3645->3656 3647 404093 3646->3647 3646->3656 3648 4040a2 GetSysColor 3647->3648 3649 4040a5 3647->3649 3648->3649 3650 4040b5 SetBkMode 3649->3650 3651 4040ab SetTextColor 3649->3651 3652 4040d3 3650->3652 3653 4040cd GetSysColor 3650->3653 3651->3650 3654 4040e4 3652->3654 3655 4040da SetBkColor 3652->3655 3653->3652 3654->3656 3657 4040f7 DeleteObject 3654->3657 3658 4040fe CreateBrushIndirect 3654->3658 3655->3654 3656->3624 3657->3658 3658->3656 3659->3644 3266 4031ce SetErrorMode GetVersion 3267 403215 3266->3267 3268 40320f 3266->3268 3270 40626c 3 API calls 3267->3270 3269 4062da 5 API calls 3268->3269 3269->3267 3271 40322b lstrlenA 3270->3271 3271->3267 3272 40323a 3271->3272 3273 4062da 5 API calls 3272->3273 3274 403241 3273->3274 3275 4062da 5 API calls 3274->3275 3276 403248 3275->3276 3277 4062da 5 API calls 3276->3277 3278 403254 #17 OleInitialize SHGetFileInfoA 3277->3278 3357 405f42 lstrcpynA 3278->3357 3281 4032a0 GetCommandLineA 3358 405f42 lstrcpynA 3281->3358 3283 4032b2 GetModuleHandleA 3284 4032c9 3283->3284 3285 405905 CharNextA 3284->3285 3286 4032dd CharNextA 3285->3286 3294 4032ed 3286->3294 3287 4033b7 3288 4033ca GetTempPathA 3287->3288 3359 40319d 3288->3359 3290 4033e2 3291 4033e6 GetWindowsDirectoryA lstrcatA 3290->3291 3292 40343c DeleteFileA 3290->3292 3295 40319d 12 API calls 3291->3295 3369 402d48 GetTickCount GetModuleFileNameA 3292->3369 3293 405905 CharNextA 3293->3294 3294->3287 3294->3293 3298 4033b9 3294->3298 3297 403402 3295->3297 3297->3292 3302 403406 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3297->3302 3454 405f42 lstrcpynA 3298->3454 3299 403450 3300 4034ea ExitProcess CoUninitialize 3299->3300 3303 4034d6 3299->3303 3308 405905 CharNextA 3299->3308 3304 403500 3300->3304 3305 40361e 3300->3305 3306 40319d 12 API calls 3302->3306 3397 403792 3303->3397 3309 40565e MessageBoxIndirectA 3304->3309 3310 4036a0 ExitProcess 3305->3310 3311 403626 GetCurrentProcess OpenProcessToken 3305->3311 3312 403434 3306->3312 3314 40346b 3308->3314 3316 40350e ExitProcess 3309->3316 3317 403671 3311->3317 3318 403641 LookupPrivilegeValueA AdjustTokenPrivileges 3311->3318 3312->3292 3312->3300 3320 4034b1 3314->3320 3321 403516 3314->3321 3319 4062da 5 API calls 3317->3319 3318->3317 3322 403678 3319->3322 3324 4059c8 18 API calls 3320->3324 3323 4055c9 5 API calls 3321->3323 3325 40368d ExitWindowsEx 3322->3325 3326 403699 3322->3326 3327 40351b lstrcatA 3323->3327 3328 4034bc 3324->3328 3325->3310 3325->3326 3462 40140b 3326->3462 3330 403537 lstrcatA lstrcmpiA 3327->3330 3331 40352c lstrcatA 3327->3331 3328->3300 3455 405f42 lstrcpynA 3328->3455 3330->3300 3332 403553 3330->3332 3331->3330 3334 403558 3332->3334 3335 40355f 3332->3335 3338 40552f 4 API calls 3334->3338 3337 4055ac 2 API calls 3335->3337 3336 4034cb 3456 405f42 lstrcpynA 3336->3456 3340 403564 SetCurrentDirectoryA 3337->3340 3341 40355d 3338->3341 3342 403573 3340->3342 3343 40357e 3340->3343 3341->3340 3457 405f42 lstrcpynA 3342->3457 3458 405f42 lstrcpynA 3343->3458 3346 405f64 17 API calls 3347 4035bd DeleteFileA 3346->3347 3348 4035ca CopyFileA 3347->3348 3354 40358c 3347->3354 3348->3354 3349 403612 3350 405d21 36 API calls 3349->3350 3352 403619 3350->3352 3351 405d21 36 API calls 3351->3354 3352->3300 3353 405f64 17 API calls 3353->3354 3354->3346 3354->3349 3354->3351 3354->3353 3356 4035fe CloseHandle 3354->3356 3459 4055e1 CreateProcessA 3354->3459 3356->3354 3357->3281 3358->3283 3360 4061ac 5 API calls 3359->3360 3361 4031a9 3360->3361 3362 4031b3 3361->3362 3363 4058da 3 API calls 3361->3363 3362->3290 3364 4031bb 3363->3364 3365 4055ac 2 API calls 3364->3365 3366 4031c1 3365->3366 3465 405b0a 3366->3465 3469 405adb GetFileAttributesA CreateFileA 3369->3469 3371 402d88 3390 402d98 3371->3390 3470 405f42 lstrcpynA 3371->3470 3373 402dae 3374 405921 2 API calls 3373->3374 3375 402db4 3374->3375 3471 405f42 lstrcpynA 3375->3471 3377 402dbf GetFileSize 3378 402ebb 3377->3378 3394 402dd6 3377->3394 3472 402ce4 3378->3472 3380 402ec4 3382 402ef4 GlobalAlloc 3380->3382 3380->3390 3484 403186 SetFilePointer 3380->3484 3381 403170 ReadFile 3381->3394 3483 403186 SetFilePointer 3382->3483 3384 402f27 3386 402ce4 6 API calls 3384->3386 3386->3390 3387 402edd 3391 403170 ReadFile 3387->3391 3388 402f0f 3389 402f81 31 API calls 3388->3389 3395 402f1b 3389->3395 3390->3299 3392 402ee8 3391->3392 3392->3382 3392->3390 3393 402ce4 6 API calls 3393->3394 3394->3378 3394->3381 3394->3384 3394->3390 3394->3393 3395->3390 3395->3395 3396 402f58 SetFilePointer 3395->3396 3396->3390 3398 4062da 5 API calls 3397->3398 3399 4037a6 3398->3399 3400 4037ac GetUserDefaultUILanguage 3399->3400 3401 4037be 3399->3401 3489 405ea0 wsprintfA 3400->3489 3402 405e29 3 API calls 3401->3402 3405 4037e9 3402->3405 3404 4037bc 3490 403a57 3404->3490 3406 403807 lstrcatA 3405->3406 3407 405e29 3 API calls 3405->3407 3406->3404 3407->3406 3410 4059c8 18 API calls 3411 403839 3410->3411 3412 4038c2 3411->3412 3414 405e29 3 API calls 3411->3414 3413 4059c8 18 API calls 3412->3413 3416 4038c8 3413->3416 3417 403865 3414->3417 3415 4038d8 LoadImageA 3419 40397e 3415->3419 3420 4038ff RegisterClassA 3415->3420 3416->3415 3418 405f64 17 API calls 3416->3418 3417->3412 3421 403881 lstrlenA 3417->3421 3424 405905 CharNextA 3417->3424 3418->3415 3423 40140b 2 API calls 3419->3423 3422 403935 SystemParametersInfoA CreateWindowExA 3420->3422 3453 4034e6 3420->3453 3425 4038b5 3421->3425 3426 40388f lstrcmpiA 3421->3426 3422->3419 3427 403984 3423->3427 3428 40387f 3424->3428 3430 4058da 3 API calls 3425->3430 3426->3425 3429 40389f GetFileAttributesA 3426->3429 3432 403a57 18 API calls 3427->3432 3427->3453 3428->3421 3431 4038ab 3429->3431 3433 4038bb 3430->3433 3431->3425 3434 405921 2 API calls 3431->3434 3435 403995 3432->3435 3498 405f42 lstrcpynA 3433->3498 3434->3425 3437 4039a1 ShowWindow 3435->3437 3438 403a24 3435->3438 3440 40626c 3 API calls 3437->3440 3499 40513b OleInitialize 3438->3499 3442 4039b9 3440->3442 3441 403a2a 3444 403a46 3441->3444 3445 403a2e 3441->3445 3443 4039c7 GetClassInfoA 3442->3443 3446 40626c 3 API calls 3442->3446 3448 4039f1 DialogBoxParamA 3443->3448 3449 4039db GetClassInfoA RegisterClassA 3443->3449 3447 40140b 2 API calls 3444->3447 3451 40140b 2 API calls 3445->3451 3445->3453 3446->3443 3447->3453 3450 40140b 2 API calls 3448->3450 3449->3448 3452 403a19 3450->3452 3451->3453 3452->3453 3453->3300 3454->3288 3455->3336 3456->3303 3457->3343 3458->3354 3460 405620 3459->3460 3461 405614 CloseHandle 3459->3461 3460->3354 3461->3460 3463 401389 2 API calls 3462->3463 3464 401420 3463->3464 3464->3310 3466 405b15 GetTickCount GetTempFileNameA 3465->3466 3467 405b42 3466->3467 3468 4031cc 3466->3468 3467->3466 3467->3468 3468->3290 3469->3371 3470->3373 3471->3377 3473 402d05 3472->3473 3474 402ced 3472->3474 3477 402d15 GetTickCount 3473->3477 3478 402d0d 3473->3478 3475 402cf6 DestroyWindow 3474->3475 3476 402cfd 3474->3476 3475->3476 3476->3380 3480 402d23 CreateDialogParamA ShowWindow 3477->3480 3481 402d46 3477->3481 3485 406316 3478->3485 3480->3481 3481->3380 3483->3388 3484->3387 3486 406333 PeekMessageA 3485->3486 3487 402d13 3486->3487 3488 406329 DispatchMessageA 3486->3488 3487->3380 3488->3486 3489->3404 3491 403a6b 3490->3491 3506 405ea0 wsprintfA 3491->3506 3493 403adc 3507 403b10 3493->3507 3495 403ae1 3496 403817 3495->3496 3497 405f64 17 API calls 3495->3497 3496->3410 3497->3495 3498->3412 3510 40404f 3499->3510 3501 40404f SendMessageA 3503 405197 OleUninitialize 3501->3503 3502 40515e 3505 405185 3502->3505 3513 401389 3502->3513 3503->3441 3505->3501 3506->3493 3508 405f64 17 API calls 3507->3508 3509 403b1e SetWindowTextA 3508->3509 3509->3495 3511 404067 3510->3511 3512 404058 SendMessageA 3510->3512 3511->3502 3512->3511 3515 401390 3513->3515 3514 4013fe 3514->3502 3515->3514 3516 4013cb MulDiv SendMessageA 3515->3516 3516->3515 3660 4026ce 3661 4026d4 3660->3661 3662 4026d8 FindNextFileA 3661->3662 3663 4026ea 3661->3663 3662->3663 3664 402729 3662->3664 3666 405f42 lstrcpynA 3664->3666 3666->3663 3667 403750 3668 40375b 3667->3668 3669 403762 GlobalAlloc 3668->3669 3670 40375f 3668->3670 3669->3670 3671 4023d0 3672 402ac1 17 API calls 3671->3672 3673 4023e2 3672->3673 3674 402ac1 17 API calls 3673->3674 3675 4023ec 3674->3675 3688 402b51 3675->3688 3678 402421 3681 40242d 3678->3681 3683 402a9f 17 API calls 3678->3683 3679 402716 3680 402ac1 17 API calls 3682 40241a lstrlenA 3680->3682 3684 40244c RegSetValueExA 3681->3684 3686 402f81 31 API calls 3681->3686 3682->3678 3683->3681 3685 402462 RegCloseKey 3684->3685 3685->3679 3686->3684 3689 402b6c 3688->3689 3692 405df6 3689->3692 3693 405e05 3692->3693 3694 405e10 RegCreateKeyExA 3693->3694 3695 4023fc 3693->3695 3694->3695 3695->3678 3695->3679 3695->3680 3696 401cd4 3697 402a9f 17 API calls 3696->3697 3698 401cda IsWindow 3697->3698 3699 401a0e 3698->3699 3700 4014d6 3701 402a9f 17 API calls 3700->3701 3702 4014dc Sleep 3701->3702 3704 402951 3702->3704 3142 401759 3181 402ac1 3142->3181 3144 401760 3145 401786 3144->3145 3146 40177e 3144->3146 3209 405f42 lstrcpynA 3145->3209 3208 405f42 lstrcpynA 3146->3208 3149 401784 3153 4061ac 5 API calls 3149->3153 3150 401791 3151 4058da 3 API calls 3150->3151 3152 401797 lstrcatA 3151->3152 3152->3149 3170 4017a3 3153->3170 3154 4017ae 3155 406245 2 API calls 3154->3155 3158 4017ba CompareFileTime 3154->3158 3154->3170 3155->3154 3156 405ab6 2 API calls 3156->3170 3158->3154 3159 40187e 3160 405069 24 API calls 3159->3160 3161 401888 3160->3161 3188 402f81 3161->3188 3162 405069 24 API calls 3165 40186a 3162->3165 3163 405f42 lstrcpynA 3163->3170 3167 4018af SetFileTime 3169 4018c1 CloseHandle 3167->3169 3168 405f64 17 API calls 3168->3170 3169->3165 3171 4018d2 3169->3171 3170->3154 3170->3156 3170->3159 3170->3163 3170->3168 3180 401855 3170->3180 3187 405adb GetFileAttributesA CreateFileA 3170->3187 3210 40565e 3170->3210 3172 4018d7 3171->3172 3173 4018ea 3171->3173 3174 405f64 17 API calls 3172->3174 3175 405f64 17 API calls 3173->3175 3177 4018df lstrcatA 3174->3177 3178 4018f2 3175->3178 3177->3178 3179 40565e MessageBoxIndirectA 3178->3179 3179->3165 3180->3162 3180->3165 3182 402acd 3181->3182 3183 405f64 17 API calls 3182->3183 3184 402aee 3183->3184 3185 402afa 3184->3185 3186 4061ac 5 API calls 3184->3186 3185->3144 3186->3185 3187->3170 3190 402f97 3188->3190 3189 402fc5 3214 403170 3189->3214 3190->3189 3217 403186 SetFilePointer 3190->3217 3194 402fe2 GetTickCount 3197 40189b 3194->3197 3204 40300e 3194->3204 3195 403109 3196 40314b 3195->3196 3201 40310d 3195->3201 3199 403170 ReadFile 3196->3199 3197->3167 3197->3169 3198 403170 ReadFile 3198->3204 3199->3197 3200 403170 ReadFile 3200->3201 3201->3197 3201->3200 3202 405b82 WriteFile 3201->3202 3202->3201 3203 403064 GetTickCount 3203->3204 3204->3197 3204->3198 3204->3203 3205 403089 MulDiv wsprintfA 3204->3205 3207 405b82 WriteFile 3204->3207 3206 405069 24 API calls 3205->3206 3206->3204 3207->3204 3208->3149 3209->3150 3211 405673 3210->3211 3212 4056bf 3211->3212 3213 405687 MessageBoxIndirectA 3211->3213 3212->3170 3213->3212 3215 405b53 ReadFile 3214->3215 3216 402fd0 3215->3216 3216->3194 3216->3195 3216->3197 3217->3189 3705 401659 3706 402ac1 17 API calls 3705->3706 3707 40165f 3706->3707 3708 406245 2 API calls 3707->3708 3709 401665 3708->3709 3710 401959 3711 402a9f 17 API calls 3710->3711 3712 401960 3711->3712 3713 402a9f 17 API calls 3712->3713 3714 40196d 3713->3714 3715 402ac1 17 API calls 3714->3715 3716 401984 lstrlenA 3715->3716 3717 401994 3716->3717 3720 4019d4 3717->3720 3722 405f42 lstrcpynA 3717->3722 3719 4019c4 3719->3720 3721 4019c9 lstrlenA 3719->3721 3721->3720 3722->3719 3723 401e59 3724 402ac1 17 API calls 3723->3724 3725 401e5f 3724->3725 3726 402ac1 17 API calls 3725->3726 3727 401e68 3726->3727 3728 402ac1 17 API calls 3727->3728 3729 401e71 3728->3729 3730 402ac1 17 API calls 3729->3730 3731 401e7a 3730->3731 3732 401423 24 API calls 3731->3732 3733 401e81 3732->3733 3740 405624 ShellExecuteExA 3733->3740 3735 401ebc 3737 402716 3735->3737 3741 40634f WaitForSingleObject 3735->3741 3738 401ed6 CloseHandle 3738->3737 3740->3735 3742 406369 3741->3742 3743 40637b GetExitCodeProcess 3742->3743 3744 406316 2 API calls 3742->3744 3743->3738 3745 406370 WaitForSingleObject 3744->3745 3745->3742 3746 401f5b 3747 402ac1 17 API calls 3746->3747 3748 401f62 3747->3748 3749 4062da 5 API calls 3748->3749 3750 401f71 3749->3750 3751 401ff1 3750->3751 3752 401f89 GlobalAlloc 3750->3752 3752->3751 3753 401f9d 3752->3753 3754 4062da 5 API calls 3753->3754 3755 401fa4 3754->3755 3756 4062da 5 API calls 3755->3756 3757 401fae 3756->3757 3757->3751 3761 405ea0 wsprintfA 3757->3761 3759 401fe5 3762 405ea0 wsprintfA 3759->3762 3761->3759 3762->3751 3763 40255b 3764 402ac1 17 API calls 3763->3764 3765 402562 3764->3765 3768 405adb GetFileAttributesA CreateFileA 3765->3768 3767 40256e 3768->3767 3769 401edb 3770 402ac1 17 API calls 3769->3770 3771 401ee1 3770->3771 3772 405069 24 API calls 3771->3772 3773 401eeb 3772->3773 3774 4055e1 2 API calls 3773->3774 3775 401ef1 3774->3775 3776 401f12 CloseHandle 3775->3776 3777 40634f 5 API calls 3775->3777 3779 402716 3775->3779 3776->3779 3780 401f06 3777->3780 3780->3776 3782 405ea0 wsprintfA 3780->3782 3782->3776 3783 401b5d 3784 401b6a 3783->3784 3785 401bae 3783->3785 3786 4022ce 3784->3786 3792 401b81 3784->3792 3787 401bb2 3785->3787 3788 401bd7 GlobalAlloc 3785->3788 3790 405f64 17 API calls 3786->3790 3797 401bf2 3787->3797 3804 405f42 lstrcpynA 3787->3804 3789 405f64 17 API calls 3788->3789 3789->3797 3791 4022db 3790->3791 3796 40565e MessageBoxIndirectA 3791->3796 3802 405f42 lstrcpynA 3792->3802 3795 401bc4 GlobalFree 3795->3797 3796->3797 3798 401b90 3803 405f42 lstrcpynA 3798->3803 3800 401b9f 3805 405f42 lstrcpynA 3800->3805 3802->3798 3803->3800 3804->3795 3805->3797 3806 404fdd 3807 405001 3806->3807 3808 404fed 3806->3808 3810 405009 IsWindowVisible 3807->3810 3814 405020 3807->3814 3809 404ff3 3808->3809 3818 40504a 3808->3818 3812 40404f SendMessageA 3809->3812 3813 405016 3810->3813 3810->3818 3811 40504f CallWindowProcA 3815 404ffd 3811->3815 3812->3815 3819 404934 SendMessageA 3813->3819 3814->3811 3824 4049b4 3814->3824 3818->3811 3820 404993 SendMessageA 3819->3820 3821 404957 GetMessagePos ScreenToClient SendMessageA 3819->3821 3823 40498b 3820->3823 3822 404990 3821->3822 3821->3823 3822->3820 3823->3814 3833 405f42 lstrcpynA 3824->3833 3826 4049c7 3834 405ea0 wsprintfA 3826->3834 3828 4049d1 3829 40140b 2 API calls 3828->3829 3830 4049da 3829->3830 3835 405f42 lstrcpynA 3830->3835 3832 4049e1 3832->3818 3833->3826 3834->3828 3835->3832 3836 401a5e 3837 402a9f 17 API calls 3836->3837 3838 401a64 3837->3838 3839 402a9f 17 API calls 3838->3839 3840 401a0e 3839->3840 3841 4024df 3851 402b01 3841->3851 3844 402a9f 17 API calls 3845 4024f2 3844->3845 3846 402519 RegEnumValueA 3845->3846 3847 40250d RegEnumKeyA 3845->3847 3849 402716 3845->3849 3848 40252e RegCloseKey 3846->3848 3847->3848 3848->3849 3852 402ac1 17 API calls 3851->3852 3853 402b18 3852->3853 3854 405dc8 RegOpenKeyExA 3853->3854 3855 4024e9 3854->3855 3855->3844 3856 402c61 3857 402c70 SetTimer 3856->3857 3858 402c89 3856->3858 3857->3858 3859 402cde 3858->3859 3860 402ca3 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3858->3860 3860->3859 3861 401563 3862 401596 ShowWindow 3861->3862 3864 401567 3861->3864 3863 4028fe 3862->3863 3866 405ea0 wsprintfA 3864->3866 3866->3863 3867 4049e6 GetDlgItem GetDlgItem 3868 404a38 7 API calls 3867->3868 3881 404c50 3867->3881 3869 404adb DeleteObject 3868->3869 3870 404ace SendMessageA 3868->3870 3871 404ae4 3869->3871 3870->3869 3873 404b1b 3871->3873 3874 405f64 17 API calls 3871->3874 3872 404d34 3876 404de0 3872->3876 3877 404c43 3872->3877 3883 404d8d SendMessageA 3872->3883 3875 404003 18 API calls 3873->3875 3878 404afd SendMessageA SendMessageA 3874->3878 3882 404b2f 3875->3882 3879 404df2 3876->3879 3880 404dea SendMessageA 3876->3880 3884 40406a 8 API calls 3877->3884 3878->3871 3891 404e04 ImageList_Destroy 3879->3891 3892 404e0b 3879->3892 3896 404e1b 3879->3896 3880->3879 3881->3872 3886 404934 5 API calls 3881->3886 3899 404cc1 3881->3899 3887 404003 18 API calls 3882->3887 3883->3877 3889 404da2 SendMessageA 3883->3889 3890 404fd6 3884->3890 3885 404d26 SendMessageA 3885->3872 3886->3899 3900 404b3d 3887->3900 3888 404f8a 3888->3877 3897 404f9c ShowWindow GetDlgItem ShowWindow 3888->3897 3894 404db5 3889->3894 3891->3892 3895 404e14 GlobalFree 3892->3895 3892->3896 3893 404c11 GetWindowLongA SetWindowLongA 3898 404c2a 3893->3898 3904 404dc6 SendMessageA 3894->3904 3895->3896 3896->3888 3910 4049b4 4 API calls 3896->3910 3914 404e56 3896->3914 3897->3877 3901 404c30 ShowWindow 3898->3901 3902 404c48 3898->3902 3899->3872 3899->3885 3900->3893 3903 404b8c SendMessageA 3900->3903 3905 404c0b 3900->3905 3908 404bc8 SendMessageA 3900->3908 3909 404bd9 SendMessageA 3900->3909 3918 404038 SendMessageA 3901->3918 3919 404038 SendMessageA 3902->3919 3903->3900 3904->3876 3905->3893 3905->3898 3908->3900 3909->3900 3910->3914 3911 404f60 InvalidateRect 3911->3888 3912 404f76 3911->3912 3920 4048ef 3912->3920 3913 404e84 SendMessageA 3917 404e9a 3913->3917 3914->3913 3914->3917 3916 404f0e SendMessageA SendMessageA 3916->3917 3917->3911 3917->3916 3918->3877 3919->3881 3923 40482a 3920->3923 3922 404904 3922->3888 3924 404840 3923->3924 3925 405f64 17 API calls 3924->3925 3926 4048a4 3925->3926 3927 405f64 17 API calls 3926->3927 3928 4048af 3927->3928 3929 405f64 17 API calls 3928->3929 3930 4048c5 lstrlenA wsprintfA SetDlgItemTextA 3929->3930 3930->3922 3931 40166a 3932 402ac1 17 API calls 3931->3932 3933 401671 3932->3933 3934 402ac1 17 API calls 3933->3934 3935 40167a 3934->3935 3936 402ac1 17 API calls 3935->3936 3937 401683 MoveFileA 3936->3937 3938 401696 3937->3938 3939 40168f 3937->3939 3940 406245 2 API calls 3938->3940 3943 40223c 3938->3943 3941 401423 24 API calls 3939->3941 3942 4016a5 3940->3942 3941->3943 3942->3943 3944 405d21 36 API calls 3942->3944 3944->3939 3945 40246d 3946 402b01 17 API calls 3945->3946 3947 402477 3946->3947 3948 402ac1 17 API calls 3947->3948 3949 402480 3948->3949 3950 40248a RegQueryValueExA 3949->3950 3953 402716 3949->3953 3951 4024b0 RegCloseKey 3950->3951 3952 4024aa 3950->3952 3951->3953 3952->3951 3956 405ea0 wsprintfA 3952->3956 3956->3951 3957 4019ed 3958 402ac1 17 API calls 3957->3958 3959 4019f4 3958->3959 3960 402ac1 17 API calls 3959->3960 3961 4019fd 3960->3961 3962 401a04 lstrcmpiA 3961->3962 3963 401a16 lstrcmpA 3961->3963 3964 401a0a 3962->3964 3963->3964 3965 40156f 3966 401586 3965->3966 3967 40157f ShowWindow 3965->3967 3968 402951 3966->3968 3969 401596 ShowWindow 3966->3969 3967->3966 3969->3968 3970 404473 3971 4044b0 3970->3971 3972 40449f 3970->3972 3974 4044bc GetDlgItem 3971->3974 3980 40451b 3971->3980 4031 405642 GetDlgItemTextA 3972->4031 3976 4044d0 3974->3976 3975 4044aa 3978 4061ac 5 API calls 3975->3978 3982 4044e4 SetWindowTextA 3976->3982 3987 405973 4 API calls 3976->3987 3977 4045ff 3979 4047a9 3977->3979 4033 405642 GetDlgItemTextA 3977->4033 3978->3971 3986 40406a 8 API calls 3979->3986 3980->3977 3980->3979 3983 405f64 17 API calls 3980->3983 3985 404003 18 API calls 3982->3985 3988 40458f SHBrowseForFolderA 3983->3988 3984 40462f 3989 4059c8 18 API calls 3984->3989 3990 404500 3985->3990 3991 4047bd 3986->3991 3992 4044da 3987->3992 3988->3977 3993 4045a7 CoTaskMemFree 3988->3993 3994 404635 3989->3994 3995 404003 18 API calls 3990->3995 3992->3982 3996 4058da 3 API calls 3992->3996 3997 4058da 3 API calls 3993->3997 4034 405f42 lstrcpynA 3994->4034 3998 40450e 3995->3998 3996->3982 3999 4045b4 3997->3999 4032 404038 SendMessageA 3998->4032 4002 4045eb SetDlgItemTextA 3999->4002 4007 405f64 17 API calls 3999->4007 4002->3977 4003 404514 4005 4062da 5 API calls 4003->4005 4004 40464c 4006 4062da 5 API calls 4004->4006 4005->3980 4014 404653 4006->4014 4008 4045d3 lstrcmpiA 4007->4008 4008->4002 4011 4045e4 lstrcatA 4008->4011 4009 40468f 4035 405f42 lstrcpynA 4009->4035 4011->4002 4012 404696 4013 405973 4 API calls 4012->4013 4015 40469c GetDiskFreeSpaceA 4013->4015 4014->4009 4017 405921 2 API calls 4014->4017 4019 4046e7 4014->4019 4018 4046c0 MulDiv 4015->4018 4015->4019 4017->4014 4018->4019 4020 404758 4019->4020 4021 4048ef 20 API calls 4019->4021 4022 40477b 4020->4022 4024 40140b 2 API calls 4020->4024 4023 404745 4021->4023 4036 404025 EnableWindow 4022->4036 4026 40475a SetDlgItemTextA 4023->4026 4027 40474a 4023->4027 4024->4022 4026->4020 4029 40482a 20 API calls 4027->4029 4028 404797 4028->3979 4030 4043cc SendMessageA 4028->4030 4029->4020 4030->3979 4031->3975 4032->4003 4033->3984 4034->4004 4035->4012 4036->4028 4037 4014f4 SetForegroundWindow 4038 402951 4037->4038 4039 401cf5 4040 402a9f 17 API calls 4039->4040 4041 401cfc 4040->4041 4042 402a9f 17 API calls 4041->4042 4043 401d08 GetDlgItem 4042->4043 4044 402577 4043->4044 4045 4022f6 4046 4022fe 4045->4046 4048 402304 4045->4048 4049 402ac1 17 API calls 4046->4049 4047 402314 4051 402322 4047->4051 4052 402ac1 17 API calls 4047->4052 4048->4047 4050 402ac1 17 API calls 4048->4050 4049->4048 4050->4047 4053 402ac1 17 API calls 4051->4053 4052->4051 4054 40232b WritePrivateProfileStringA 4053->4054 4055 4026f8 4056 402ac1 17 API calls 4055->4056 4057 4026ff FindFirstFileA 4056->4057 4058 402722 4057->4058 4059 402712 4057->4059 4060 402729 4058->4060 4063 405ea0 wsprintfA 4058->4063 4064 405f42 lstrcpynA 4060->4064 4063->4060 4064->4059 4065 40237b 4066 402382 4065->4066 4067 4023ad 4065->4067 4069 402b01 17 API calls 4066->4069 4068 402ac1 17 API calls 4067->4068 4071 4023b4 4068->4071 4070 402389 4069->4070 4073 402ac1 17 API calls 4070->4073 4075 4023c1 4070->4075 4076 402b7f 4071->4076 4074 40239a RegDeleteValueA RegCloseKey 4073->4074 4074->4075 4077 402b95 4076->4077 4078 402bab 4077->4078 4080 402bb4 4077->4080 4078->4075 4081 405dc8 RegOpenKeyExA 4080->4081 4082 402be2 4081->4082 4083 402c08 RegEnumKeyA 4082->4083 4084 402c1f RegCloseKey 4082->4084 4085 402c40 RegCloseKey 4082->4085 4088 402bb4 6 API calls 4082->4088 4090 402c33 4082->4090 4083->4082 4083->4084 4086 4062da 5 API calls 4084->4086 4085->4090 4087 402c2f 4086->4087 4089 402c4e RegDeleteKeyA 4087->4089 4087->4090 4088->4082 4089->4090 4090->4078 4091 40257d 4092 402582 4091->4092 4093 402596 4091->4093 4094 402a9f 17 API calls 4092->4094 4095 402ac1 17 API calls 4093->4095 4097 40258b 4094->4097 4096 40259d lstrlenA 4095->4096 4096->4097 4098 4025bf 4097->4098 4099 405b82 WriteFile 4097->4099 4099->4098 4100 4018fd 4101 401934 4100->4101 4102 402ac1 17 API calls 4101->4102 4103 401939 4102->4103 4104 40570a 67 API calls 4103->4104 4105 401942 4104->4105 4106 401ffd 4107 4020bd 4106->4107 4108 40200f 4106->4108 4111 401423 24 API calls 4107->4111 4109 402ac1 17 API calls 4108->4109 4110 402016 4109->4110 4112 402ac1 17 API calls 4110->4112 4116 40223c 4111->4116 4113 40201f 4112->4113 4114 402034 LoadLibraryExA 4113->4114 4115 402027 GetModuleHandleA 4113->4115 4114->4107 4117 402044 GetProcAddress 4114->4117 4115->4114 4115->4117 4118 402090 4117->4118 4119 402053 4117->4119 4120 405069 24 API calls 4118->4120 4121 402063 4119->4121 4122 401423 24 API calls 4119->4122 4120->4121 4121->4116 4123 4020b1 FreeLibrary 4121->4123 4122->4121 4123->4116 4124 401000 4125 401037 BeginPaint GetClientRect 4124->4125 4126 40100c DefWindowProcA 4124->4126 4128 4010f3 4125->4128 4129 401179 4126->4129 4130 401073 CreateBrushIndirect FillRect DeleteObject 4128->4130 4131 4010fc 4128->4131 4130->4128 4132 401102 CreateFontIndirectA 4131->4132 4133 401167 EndPaint 4131->4133 4132->4133 4134 401112 6 API calls 4132->4134 4133->4129 4134->4133 4135 401900 4136 402ac1 17 API calls 4135->4136 4137 401907 4136->4137 4138 40565e MessageBoxIndirectA 4137->4138 4139 401910 4138->4139 4140 401502 4141 40151d 4140->4141 4142 40150a 4140->4142 4143 402a9f 17 API calls 4142->4143 4143->4141 4144 402682 4145 402689 4144->4145 4147 4028fe 4144->4147 4146 402a9f 17 API calls 4145->4146 4148 402690 4146->4148 4149 40269f SetFilePointer 4148->4149 4149->4147 4150 4026af 4149->4150 4152 405ea0 wsprintfA 4150->4152 4152->4147 4153 401c04 4154 402a9f 17 API calls 4153->4154 4155 401c0b 4154->4155 4156 402a9f 17 API calls 4155->4156 4157 401c18 4156->4157 4158 401c2d 4157->4158 4159 402ac1 17 API calls 4157->4159 4160 401c3d 4158->4160 4163 402ac1 17 API calls 4158->4163 4159->4158 4161 401c94 4160->4161 4162 401c48 4160->4162 4165 402ac1 17 API calls 4161->4165 4164 402a9f 17 API calls 4162->4164 4163->4160 4166 401c4d 4164->4166 4167 401c99 4165->4167 4168 402a9f 17 API calls 4166->4168 4169 402ac1 17 API calls 4167->4169 4170 401c59 4168->4170 4171 401ca2 FindWindowExA 4169->4171 4172 401c84 SendMessageA 4170->4172 4173 401c66 SendMessageTimeoutA 4170->4173 4174 401cc0 4171->4174 4172->4174 4173->4174 3218 401389 3220 401390 3218->3220 3219 4013fe 3220->3219 3221 4013cb MulDiv SendMessageA 3220->3221 3221->3220 4175 401490 4176 405069 24 API calls 4175->4176 4177 401497 4176->4177 4178 401d95 GetDC 4179 402a9f 17 API calls 4178->4179 4180 401da7 GetDeviceCaps MulDiv ReleaseDC 4179->4180 4181 402a9f 17 API calls 4180->4181 4182 401dd8 4181->4182 4183 405f64 17 API calls 4182->4183 4184 401e15 CreateFontIndirectA 4183->4184 4185 402577 4184->4185 4186 404117 lstrcpynA lstrlenA 4187 401d1a 4188 402a9f 17 API calls 4187->4188 4189 401d28 SetWindowLongA 4188->4189 4190 402951 4189->4190 4196 40149d 4197 4022e1 4196->4197 4198 4014ab PostQuitMessage 4196->4198 4198->4197 4199 40159d 4200 402ac1 17 API calls 4199->4200 4201 4015a4 SetFileAttributesA 4200->4201 4202 4015b6 4201->4202 4203 401a1e 4204 402ac1 17 API calls 4203->4204 4205 401a27 ExpandEnvironmentStringsA 4204->4205 4206 401a3b 4205->4206 4208 401a4e 4205->4208 4207 401a40 lstrcmpA 4206->4207 4206->4208 4207->4208 4209 40171f 4210 402ac1 17 API calls 4209->4210 4211 401726 SearchPathA 4210->4211 4212 401741 4211->4212 2953 405624 ShellExecuteExA 4213 401e25 4214 402a9f 17 API calls 4213->4214 4215 401e2b 4214->4215 4216 402a9f 17 API calls 4215->4216 4217 401e37 4216->4217 4218 401e43 ShowWindow 4217->4218 4219 401e4e EnableWindow 4217->4219 4220 402951 4218->4220 4219->4220 4221 4051a7 4222 405352 4221->4222 4223 4051c9 GetDlgItem GetDlgItem GetDlgItem 4221->4223 4225 405382 4222->4225 4226 40535a GetDlgItem CreateThread CloseHandle 4222->4226 4266 404038 SendMessageA 4223->4266 4228 4053b0 4225->4228 4229 4053d1 4225->4229 4230 405398 ShowWindow ShowWindow 4225->4230 4226->4225 4227 405239 4232 405240 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4227->4232 4231 40540b 4228->4231 4234 4053c0 4228->4234 4235 4053e4 ShowWindow 4228->4235 4236 40406a 8 API calls 4229->4236 4268 404038 SendMessageA 4230->4268 4231->4229 4241 405418 SendMessageA 4231->4241 4239 405292 SendMessageA SendMessageA 4232->4239 4240 4052ae 4232->4240 4269 403fdc 4234->4269 4237 405404 4235->4237 4238 4053f6 4235->4238 4243 4053dd 4236->4243 4245 403fdc SendMessageA 4237->4245 4244 405069 24 API calls 4238->4244 4239->4240 4246 4052c1 4240->4246 4247 4052b3 SendMessageA 4240->4247 4241->4243 4248 405431 CreatePopupMenu 4241->4248 4244->4237 4245->4231 4250 404003 18 API calls 4246->4250 4247->4246 4249 405f64 17 API calls 4248->4249 4251 405441 AppendMenuA 4249->4251 4252 4052d1 4250->4252 4253 405472 TrackPopupMenu 4251->4253 4254 40545f GetWindowRect 4251->4254 4255 4052da ShowWindow 4252->4255 4256 40530e GetDlgItem SendMessageA 4252->4256 4253->4243 4258 40548e 4253->4258 4254->4253 4259 4052f0 ShowWindow 4255->4259 4260 4052fd 4255->4260 4256->4243 4257 405335 SendMessageA SendMessageA 4256->4257 4257->4243 4261 4054ad SendMessageA 4258->4261 4259->4260 4267 404038 SendMessageA 4260->4267 4261->4261 4263 4054ca OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4263 4264 4054ec SendMessageA 4263->4264 4264->4264 4265 40550e GlobalUnlock SetClipboardData CloseClipboard 4264->4265 4265->4243 4266->4227 4267->4256 4268->4228 4270 403fe3 4269->4270 4271 403fe9 SendMessageA 4269->4271 4270->4271 4271->4229 4272 401f2b 4273 402ac1 17 API calls 4272->4273 4274 401f32 4273->4274 4275 406245 2 API calls 4274->4275 4276 401f38 4275->4276 4278 401f4a 4276->4278 4279 405ea0 wsprintfA 4276->4279 4279->4278 4280 40292c SendMessageA 4281 402951 4280->4281 4282 402946 InvalidateRect 4280->4282 4282->4281 4283 40442c 4284 404462 4283->4284 4285 40443c 4283->4285 4287 40406a 8 API calls 4284->4287 4286 404003 18 API calls 4285->4286 4289 404449 SetDlgItemTextA 4286->4289 4288 40446e 4287->4288 4289->4284 4290 403b2f 4291 403c82 4290->4291 4292 403b47 4290->4292 4294 403cd3 4291->4294 4295 403c93 GetDlgItem GetDlgItem 4291->4295 4292->4291 4293 403b53 4292->4293 4297 403b71 4293->4297 4298 403b5e SetWindowPos 4293->4298 4296 403d2d 4294->4296 4304 401389 2 API calls 4294->4304 4299 404003 18 API calls 4295->4299 4300 40404f SendMessageA 4296->4300 4320 403c7d 4296->4320 4301 403b76 ShowWindow 4297->4301 4302 403b8e 4297->4302 4298->4297 4303 403cbd SetClassLongA 4299->4303 4319 403d3f 4300->4319 4301->4302 4305 403bb0 4302->4305 4306 403b96 DestroyWindow 4302->4306 4307 40140b 2 API calls 4303->4307 4310 403d05 4304->4310 4308 403bb5 SetWindowLongA 4305->4308 4309 403bc6 4305->4309 4358 403f8c 4306->4358 4307->4294 4308->4320 4311 403bd2 GetDlgItem 4309->4311 4327 403c3d 4309->4327 4310->4296 4312 403d09 SendMessageA 4310->4312 4315 403c02 4311->4315 4316 403be5 SendMessageA IsWindowEnabled 4311->4316 4312->4320 4313 40140b 2 API calls 4313->4319 4314 403f8e DestroyWindow EndDialog 4314->4358 4322 403c0f 4315->4322 4325 403c56 SendMessageA 4315->4325 4326 403c22 4315->4326 4332 403c07 4315->4332 4316->4315 4316->4320 4317 40406a 8 API calls 4317->4320 4318 403fbd ShowWindow 4318->4320 4319->4313 4319->4314 4319->4320 4321 405f64 17 API calls 4319->4321 4324 404003 18 API calls 4319->4324 4333 404003 18 API calls 4319->4333 4349 403ece DestroyWindow 4319->4349 4321->4319 4322->4325 4322->4332 4323 403fdc SendMessageA 4323->4327 4324->4319 4325->4327 4328 403c2a 4326->4328 4329 403c3f 4326->4329 4327->4317 4331 40140b 2 API calls 4328->4331 4330 40140b 2 API calls 4329->4330 4330->4332 4331->4332 4332->4323 4332->4327 4334 403dba GetDlgItem 4333->4334 4335 403dd7 ShowWindow EnableWindow 4334->4335 4336 403dcf 4334->4336 4359 404025 EnableWindow 4335->4359 4336->4335 4338 403e01 EnableWindow 4343 403e15 4338->4343 4339 403e1a GetSystemMenu EnableMenuItem SendMessageA 4340 403e4a SendMessageA 4339->4340 4339->4343 4340->4343 4342 403b10 18 API calls 4342->4343 4343->4339 4343->4342 4360 404038 SendMessageA 4343->4360 4361 405f42 lstrcpynA 4343->4361 4345 403e79 lstrlenA 4346 405f64 17 API calls 4345->4346 4347 403e8a SetWindowTextA 4346->4347 4348 401389 2 API calls 4347->4348 4348->4319 4350 403ee8 CreateDialogParamA 4349->4350 4349->4358 4351 403f1b 4350->4351 4350->4358 4352 404003 18 API calls 4351->4352 4353 403f26 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4352->4353 4354 401389 2 API calls 4353->4354 4355 403f6c 4354->4355 4355->4320 4356 403f74 ShowWindow 4355->4356 4357 40404f SendMessageA 4356->4357 4357->4358 4358->4318 4358->4320 4359->4338 4360->4343 4361->4345 4368 4026b4 4369 4026ba 4368->4369 4370 402951 4369->4370 4371 4026c2 FindClose 4369->4371 4371->4370 4372 402736 4373 402ac1 17 API calls 4372->4373 4374 402744 4373->4374 4375 40275a 4374->4375 4376 402ac1 17 API calls 4374->4376 4377 405ab6 2 API calls 4375->4377 4376->4375 4378 402760 4377->4378 4400 405adb GetFileAttributesA CreateFileA 4378->4400 4380 40276d 4381 402816 4380->4381 4382 402779 GlobalAlloc 4380->4382 4385 402831 4381->4385 4386 40281e DeleteFileA 4381->4386 4383 402792 4382->4383 4384 40280d CloseHandle 4382->4384 4401 403186 SetFilePointer 4383->4401 4384->4381 4386->4385 4388 402798 4389 403170 ReadFile 4388->4389 4390 4027a1 GlobalAlloc 4389->4390 4391 4027b1 4390->4391 4392 4027eb 4390->4392 4394 402f81 31 API calls 4391->4394 4393 405b82 WriteFile 4392->4393 4395 4027f7 GlobalFree 4393->4395 4399 4027be 4394->4399 4396 402f81 31 API calls 4395->4396 4397 40280a 4396->4397 4397->4384 4398 4027e2 GlobalFree 4398->4392 4399->4398 4400->4380 4401->4388 4402 402837 4403 402a9f 17 API calls 4402->4403 4404 40283d 4403->4404 4405 402865 4404->4405 4406 40287c 4404->4406 4414 402716 4404->4414 4409 40286a 4405->4409 4410 402879 4405->4410 4407 402896 4406->4407 4408 402886 4406->4408 4412 405f64 17 API calls 4407->4412 4411 402a9f 17 API calls 4408->4411 4416 405f42 lstrcpynA 4409->4416 4417 405ea0 wsprintfA 4410->4417 4411->4414 4412->4414 4416->4414 4417->4414 4418 4014b7 4419 4014bd 4418->4419 4420 401389 2 API calls 4419->4420 4421 4014c5 4420->4421 2954 4036b8 2955 4036d0 2954->2955 2956 4036c2 CloseHandle 2954->2956 2961 4036fd 2955->2961 2956->2955 2962 40370b 2961->2962 2963 4036d5 2962->2963 2964 403710 FreeLibrary GlobalFree 2962->2964 2965 40570a 2963->2965 2964->2963 2964->2964 3002 4059c8 2965->3002 2968 405732 DeleteFileA 2997 4036e1 2968->2997 2969 405749 2970 405877 2969->2970 3017 405f42 lstrcpynA 2969->3017 2970->2997 3050 406245 FindFirstFileA 2970->3050 2972 40576f 2973 405782 2972->2973 2974 405775 lstrcatA 2972->2974 3018 405921 lstrlenA 2973->3018 2976 405788 2974->2976 2978 405796 lstrcatA 2976->2978 2980 4057a1 lstrlenA FindFirstFileA 2976->2980 2978->2980 2980->2970 3000 4057c5 2980->3000 2984 4056c2 5 API calls 2985 4058b1 2984->2985 2986 4058cb 2985->2986 2990 4058b5 2985->2990 2987 405069 24 API calls 2986->2987 2987->2997 2988 405856 FindNextFileA 2991 40586e FindClose 2988->2991 2988->3000 2992 405069 24 API calls 2990->2992 2990->2997 2991->2970 2993 4058c2 2992->2993 2994 405d21 36 API calls 2993->2994 2994->2997 2996 40570a 60 API calls 2996->3000 2998 405069 24 API calls 2998->2988 3000->2988 3000->2996 3000->2998 3022 405905 3000->3022 3026 405f42 lstrcpynA 3000->3026 3027 4056c2 3000->3027 3035 405069 3000->3035 3046 405d21 MoveFileExA 3000->3046 3056 405f42 lstrcpynA 3002->3056 3004 4059d9 3057 405973 CharNextA CharNextA 3004->3057 3007 40572a 3007->2968 3007->2969 3010 405a1a lstrlenA 3011 405a25 3010->3011 3015 405a02 3010->3015 3013 4058da 3 API calls 3011->3013 3012 406245 2 API calls 3012->3015 3014 405a2a GetFileAttributesA 3013->3014 3014->3007 3015->3007 3015->3010 3015->3012 3016 405921 2 API calls 3015->3016 3016->3010 3017->2972 3019 40592e 3018->3019 3020 405933 CharPrevA 3019->3020 3021 40593f 3019->3021 3020->3019 3020->3021 3021->2976 3023 40590b 3022->3023 3024 40591e 3023->3024 3025 405911 CharNextA 3023->3025 3024->3000 3025->3023 3026->3000 3072 405ab6 GetFileAttributesA 3027->3072 3030 4056ef 3030->3000 3031 4056e5 DeleteFileA 3033 4056eb 3031->3033 3032 4056dd RemoveDirectoryA 3032->3033 3033->3030 3034 4056fb SetFileAttributesA 3033->3034 3034->3030 3036 405084 3035->3036 3045 405127 3035->3045 3037 4050a1 lstrlenA 3036->3037 3075 405f64 3036->3075 3039 4050ca 3037->3039 3040 4050af lstrlenA 3037->3040 3042 4050d0 SetWindowTextA 3039->3042 3043 4050dd 3039->3043 3041 4050c1 lstrcatA 3040->3041 3040->3045 3041->3039 3042->3043 3044 4050e3 SendMessageA SendMessageA SendMessageA 3043->3044 3043->3045 3044->3045 3045->3000 3047 405d42 3046->3047 3048 405d35 3046->3048 3047->3000 3104 405bb1 3048->3104 3051 40589b 3050->3051 3052 40625b FindClose 3050->3052 3051->2997 3053 4058da lstrlenA CharPrevA 3051->3053 3052->3051 3054 4058f4 lstrcatA 3053->3054 3055 4058a5 3053->3055 3054->3055 3055->2984 3056->3004 3058 40598e 3057->3058 3062 40599e 3057->3062 3060 405999 CharNextA 3058->3060 3058->3062 3059 4059be 3059->3007 3063 4061ac 3059->3063 3060->3059 3061 405905 CharNextA 3061->3062 3062->3059 3062->3061 3064 4061b8 3063->3064 3066 406215 CharNextA 3064->3066 3068 405905 CharNextA 3064->3068 3069 406220 3064->3069 3070 406203 CharNextA 3064->3070 3071 406210 CharNextA 3064->3071 3065 406224 CharPrevA 3065->3069 3066->3064 3066->3069 3067 4059ef 3067->3007 3067->3015 3068->3064 3069->3065 3069->3067 3070->3064 3071->3066 3073 4056ce 3072->3073 3074 405ac8 SetFileAttributesA 3072->3074 3073->3030 3073->3031 3073->3032 3074->3073 3076 405f71 3075->3076 3077 406193 3076->3077 3080 40616d lstrlenA 3076->3080 3081 405f64 10 API calls 3076->3081 3084 406089 GetSystemDirectoryA 3076->3084 3086 40609c GetWindowsDirectoryA 3076->3086 3087 4061ac 5 API calls 3076->3087 3088 405f64 10 API calls 3076->3088 3089 406116 lstrcatA 3076->3089 3090 4060d0 SHGetSpecialFolderLocation 3076->3090 3092 405e29 3076->3092 3097 405ea0 wsprintfA 3076->3097 3098 405f42 lstrcpynA 3076->3098 3078 4061a8 3077->3078 3099 405f42 lstrcpynA 3077->3099 3078->3037 3080->3076 3081->3080 3084->3076 3086->3076 3087->3076 3088->3076 3089->3076 3090->3076 3091 4060e8 SHGetPathFromIDListA CoTaskMemFree 3090->3091 3091->3076 3100 405dc8 3092->3100 3095 405e8c 3095->3076 3096 405e5d RegQueryValueExA RegCloseKey 3096->3095 3097->3076 3098->3076 3099->3078 3101 405dd7 3100->3101 3102 405de0 RegOpenKeyExA 3101->3102 3103 405ddb 3101->3103 3102->3103 3103->3095 3103->3096 3105 405bd7 3104->3105 3106 405bfd GetShortPathNameA 3104->3106 3131 405adb GetFileAttributesA CreateFileA 3105->3131 3108 405c12 3106->3108 3109 405d1c 3106->3109 3108->3109 3111 405c1a wsprintfA 3108->3111 3109->3047 3110 405be1 CloseHandle GetShortPathNameA 3110->3109 3112 405bf5 3110->3112 3113 405f64 17 API calls 3111->3113 3112->3106 3112->3109 3114 405c42 3113->3114 3132 405adb GetFileAttributesA CreateFileA 3114->3132 3116 405c4f 3116->3109 3117 405c5e GetFileSize GlobalAlloc 3116->3117 3118 405c80 3117->3118 3119 405d15 CloseHandle 3117->3119 3133 405b53 ReadFile 3118->3133 3119->3109 3124 405cb3 3126 405a40 4 API calls 3124->3126 3125 405c9f lstrcpyA 3127 405cc1 3125->3127 3126->3127 3128 405cf8 SetFilePointer 3127->3128 3140 405b82 WriteFile 3128->3140 3131->3110 3132->3116 3134 405b71 3133->3134 3134->3119 3135 405a40 lstrlenA 3134->3135 3136 405a81 lstrlenA 3135->3136 3137 405a89 3136->3137 3138 405a5a lstrcmpiA 3136->3138 3137->3124 3137->3125 3138->3137 3139 405a78 CharNextA 3138->3139 3139->3136 3141 405ba0 GlobalFree 3140->3141 3141->3119 4422 401b39 4423 402ac1 17 API calls 4422->4423 4424 401b40 4423->4424 4425 402a9f 17 API calls 4424->4425 4426 401b49 wsprintfA 4425->4426 4427 402951 4426->4427 4428 40233a 4429 402ac1 17 API calls 4428->4429 4430 40234b 4429->4430 4431 402ac1 17 API calls 4430->4431 4432 402354 4431->4432 4433 402ac1 17 API calls 4432->4433 4434 40235e GetPrivateProfileStringA 4433->4434 3222 4015bb 3223 402ac1 17 API calls 3222->3223 3224 4015c2 3223->3224 3225 405973 4 API calls 3224->3225 3235 4015ca 3225->3235 3226 401624 3228 401652 3226->3228 3229 401629 3226->3229 3227 405905 CharNextA 3227->3235 3231 401423 24 API calls 3228->3231 3242 401423 3229->3242 3239 40164a 3231->3239 3235->3226 3235->3227 3238 4015f3 3235->3238 3240 40160c GetFileAttributesA 3235->3240 3246 4055c9 3235->3246 3254 4055ac CreateDirectoryA 3235->3254 3237 40163b SetCurrentDirectoryA 3237->3239 3238->3235 3249 40552f CreateDirectoryA 3238->3249 3240->3235 3243 405069 24 API calls 3242->3243 3244 401431 3243->3244 3245 405f42 lstrcpynA 3244->3245 3245->3237 3257 4062da GetModuleHandleA 3246->3257 3250 405580 GetLastError 3249->3250 3251 40557c 3249->3251 3250->3251 3252 40558f SetFileSecurityA 3250->3252 3251->3238 3252->3251 3253 4055a5 GetLastError 3252->3253 3253->3251 3255 4055c0 GetLastError 3254->3255 3256 4055bc 3254->3256 3255->3256 3256->3235 3258 406300 GetProcAddress 3257->3258 3259 4062f6 3257->3259 3261 4055d0 3258->3261 3263 40626c GetSystemDirectoryA 3259->3263 3261->3235 3262 4062fc 3262->3258 3262->3261 3264 40628e wsprintfA LoadLibraryExA 3263->3264 3264->3262 4435 401d3b GetDlgItem GetClientRect 4436 402ac1 17 API calls 4435->4436 4437 401d6b LoadImageA SendMessageA 4436->4437 4438 402951 4437->4438 4439 401d89 DeleteObject 4437->4439 4439->4438 4440 4016bb 4441 402ac1 17 API calls 4440->4441 4442 4016c1 GetFullPathNameA 4441->4442 4443 4016d8 4442->4443 4449 4016f9 4442->4449 4446 406245 2 API calls 4443->4446 4443->4449 4444 402951 4445 40170d GetShortPathNameA 4445->4444 4447 4016e9 4446->4447 4447->4449 4450 405f42 lstrcpynA 4447->4450 4449->4444 4449->4445 4450->4449

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 4031ce-40320d SetErrorMode GetVersion 1 403220 0->1 2 40320f-403217 call 4062da 0->2 4 403225-403238 call 40626c lstrlenA 1->4 2->1 7 403219 2->7 9 40323a-403256 call 4062da * 3 4->9 7->1 16 403267-4032c7 #17 OleInitialize SHGetFileInfoA call 405f42 GetCommandLineA call 405f42 GetModuleHandleA 9->16 17 403258-40325e 9->17 24 4032d3-4032e8 call 405905 CharNextA 16->24 25 4032c9-4032ce 16->25 17->16 21 403260 17->21 21->16 28 4033ad-4033b1 24->28 25->24 29 4033b7 28->29 30 4032ed-4032f0 28->30 31 4033ca-4033e4 GetTempPathA call 40319d 29->31 32 4032f2-4032f6 30->32 33 4032f8-403300 30->33 42 4033e6-403404 GetWindowsDirectoryA lstrcatA call 40319d 31->42 43 40343c-403456 DeleteFileA call 402d48 31->43 32->32 32->33 34 403302-403303 33->34 35 403308-40330b 33->35 34->35 37 403311-403315 35->37 38 40339d-4033aa call 405905 35->38 40 403317-40331d 37->40 41 40332d-40335a 37->41 38->28 57 4033ac 38->57 45 403323 40->45 46 40331f-403321 40->46 47 40335c-403362 41->47 48 40336d-40339b 41->48 42->43 61 403406-403436 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40319d 42->61 58 4034ea-4034fa ExitProcess CoUninitialize 43->58 59 40345c-403462 43->59 45->41 46->41 46->45 52 403364-403366 47->52 53 403368 47->53 48->38 55 4033b9-4033c5 call 405f42 48->55 52->48 52->53 53->48 55->31 57->28 64 403500-403510 call 40565e ExitProcess 58->64 65 40361e-403624 58->65 62 403464-40346f call 405905 59->62 63 4034da-4034e1 call 403792 59->63 61->43 61->58 80 403471-40349a 62->80 81 4034a5-4034af 62->81 73 4034e6 63->73 70 4036a0-4036a8 65->70 71 403626-40363f GetCurrentProcess OpenProcessToken 65->71 75 4036aa 70->75 76 4036ae-4036b2 ExitProcess 70->76 78 403671-40367f call 4062da 71->78 79 403641-40366b LookupPrivilegeValueA AdjustTokenPrivileges 71->79 73->58 75->76 90 403681-40368b 78->90 91 40368d-403697 ExitWindowsEx 78->91 79->78 83 40349c-40349e 80->83 84 4034b1-4034be call 4059c8 81->84 85 403516-40352a call 4055c9 lstrcatA 81->85 83->81 87 4034a0-4034a3 83->87 84->58 99 4034c0-4034d6 call 405f42 * 2 84->99 97 403537-403551 lstrcatA lstrcmpiA 85->97 98 40352c-403532 lstrcatA 85->98 87->81 87->83 90->91 92 403699-40369b call 40140b 90->92 91->70 91->92 92->70 97->58 100 403553-403556 97->100 98->97 99->63 102 403558-40355d call 40552f 100->102 103 40355f call 4055ac 100->103 108 403564-403571 SetCurrentDirectoryA 102->108 103->108 111 403573-403579 call 405f42 108->111 112 40357e-4035a6 call 405f42 108->112 111->112 116 4035ac-4035c8 call 405f64 DeleteFileA 112->116 119 403609-403610 116->119 120 4035ca-4035da CopyFileA 116->120 119->116 121 403612-403619 call 405d21 119->121 120->119 122 4035dc-4035fc call 405d21 call 405f64 call 4055e1 120->122 121->58 122->119 131 4035fe-403605 CloseHandle 122->131 131->119
                                  APIs
                                  • SetErrorMode.KERNELBASE ref: 004031F3
                                  • GetVersion.KERNEL32 ref: 004031F9
                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040322C
                                  • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403268
                                  • OleInitialize.OLE32(00000000), ref: 0040326F
                                  • SHGetFileInfoA.SHELL32(0079E500,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 0040328B
                                  • GetCommandLineA.KERNEL32(007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 004032A0
                                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Rage.exe",00000000,?,00000006,00000008,0000000A), ref: 004032B3
                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Rage.exe",00000020,?,00000006,00000008,0000000A), ref: 004032DE
                                  • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033DB
                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033EC
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033F8
                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040340C
                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403414
                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403425
                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040342D
                                  • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403441
                                    • Part of subcall function 004062DA: GetModuleHandleA.KERNEL32(?,?,?,00403241,0000000A), ref: 004062EC
                                    • Part of subcall function 004062DA: GetProcAddress.KERNEL32(00000000,?), ref: 00406307
                                    • Part of subcall function 00405F42: lstrcpynA.KERNEL32(?,?,00000400,004032A0,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F4F
                                    • Part of subcall function 00403792: GetUserDefaultUILanguage.KERNELBASE(00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rage.exe",00000000), ref: 004037AC
                                    • Part of subcall function 00403792: lstrlenA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,?,?,open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000000,C:\ProgramData\wvtynvwe,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,75923410), ref: 00403882
                                    • Part of subcall function 00403792: lstrcmpiA.KERNEL32(?,.exe), ref: 00403895
                                    • Part of subcall function 00403792: GetFileAttributesA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004038A0
                                    • Part of subcall function 00403792: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\ProgramData\wvtynvwe), ref: 004038E9
                                    • Part of subcall function 00403792: RegisterClassA.USER32(007A26E0), ref: 00403926
                                  • ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 004034EA
                                    • Part of subcall function 004036B8: CloseHandle.KERNEL32(FFFFFFFF,004034EF,?,?,00000006,00000008,0000000A), ref: 004036C3
                                  • CoUninitialize.COMBASE(?,?,00000006,00000008,0000000A), ref: 004034EF
                                  • ExitProcess.KERNEL32 ref: 00403510
                                  • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040362D
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403634
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040364C
                                  • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040366B
                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 0040368F
                                  • ExitProcess.KERNEL32 ref: 004036B2
                                    • Part of subcall function 0040565E: MessageBoxIndirectA.USER32(0040A218), ref: 004056B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Process$Exit$FileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpilstrcpyn
                                  • String ID: "$"C:\Users\user\Desktop\Rage.exe"$.tmp$1033$C:\ProgramData\wvtynvwe$C:\ProgramData\wvtynvwe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Rage.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                  • API String ID: 3861850387-1526231467
                                  • Opcode ID: 54dfbb4b5d42e962b35138971a0652499d0f60d33a266ff226056ae41e917d95
                                  • Instruction ID: ea326dcf1c0b3132f51e3ff7546da7ae9c11cd61220b9029df30233a3f69a636
                                  • Opcode Fuzzy Hash: 54dfbb4b5d42e962b35138971a0652499d0f60d33a266ff226056ae41e917d95
                                  • Instruction Fuzzy Hash: FAC1C570104741AAD7216F759E49A2F3FADAB8630AF04457FF581B51E2CB7C8A05CB2E

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 132 403792-4037aa call 4062da 135 4037ac-4037b7 GetUserDefaultUILanguage call 405ea0 132->135 136 4037be-4037ef call 405e29 132->136 139 4037bc 135->139 142 4037f1-403802 call 405e29 136->142 143 403807-40380d lstrcatA 136->143 141 403812-40383b call 403a57 call 4059c8 139->141 149 403841-403846 141->149 150 4038c2-4038ca call 4059c8 141->150 142->143 143->141 149->150 151 403848-40386c call 405e29 149->151 155 4038d8-4038fd LoadImageA 150->155 156 4038cc-4038d3 call 405f64 150->156 151->150 158 40386e-403870 151->158 160 40397e-403986 call 40140b 155->160 161 4038ff-40392f RegisterClassA 155->161 156->155 162 403881-40388d lstrlenA 158->162 163 403872-40387f call 405905 158->163 174 403990-40399b call 403a57 160->174 175 403988-40398b 160->175 164 403935-403979 SystemParametersInfoA CreateWindowExA 161->164 165 403a4d 161->165 169 4038b5-4038bd call 4058da call 405f42 162->169 170 40388f-40389d lstrcmpiA 162->170 163->162 164->160 168 403a4f-403a56 165->168 169->150 170->169 173 40389f-4038a9 GetFileAttributesA 170->173 177 4038ab-4038ad 173->177 178 4038af-4038b0 call 405921 173->178 184 4039a1-4039bb ShowWindow call 40626c 174->184 185 403a24-403a2c call 40513b 174->185 175->168 177->169 177->178 178->169 190 4039c7-4039d9 GetClassInfoA 184->190 191 4039bd-4039c2 call 40626c 184->191 192 403a46-403a48 call 40140b 185->192 193 403a2e-403a34 185->193 196 4039f1-403a22 DialogBoxParamA call 40140b call 4036e2 190->196 197 4039db-4039eb GetClassInfoA RegisterClassA 190->197 191->190 192->165 193->175 198 403a3a-403a41 call 40140b 193->198 196->168 197->196 198->175
                                  APIs
                                    • Part of subcall function 004062DA: GetModuleHandleA.KERNEL32(?,?,?,00403241,0000000A), ref: 004062EC
                                    • Part of subcall function 004062DA: GetProcAddress.KERNEL32(00000000,?), ref: 00406307
                                  • GetUserDefaultUILanguage.KERNELBASE(00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rage.exe",00000000), ref: 004037AC
                                    • Part of subcall function 00405EA0: wsprintfA.USER32 ref: 00405EAD
                                  • lstrcatA.KERNEL32(1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rage.exe",00000000), ref: 0040380D
                                  • lstrlenA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,?,?,open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000000,C:\ProgramData\wvtynvwe,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,75923410), ref: 00403882
                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 00403895
                                  • GetFileAttributesA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004038A0
                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\ProgramData\wvtynvwe), ref: 004038E9
                                  • RegisterClassA.USER32(007A26E0), ref: 00403926
                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040393E
                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403973
                                  • ShowWindow.USER32(00000005,00000000), ref: 004039A9
                                  • GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 004039D5
                                  • GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 004039E2
                                  • RegisterClassA.USER32(007A26E0), ref: 004039EB
                                  • DialogBoxParamA.USER32(?,00000000,00403B2F,00000000), ref: 00403A0A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: "C:\Users\user\Desktop\Rage.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\ProgramData\wvtynvwe$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$open C:\ProgramData\wvtynvwe\AutoIt3.exe$&z
                                  • API String ID: 606308-4152628808
                                  • Opcode ID: 4573ba04ebc77884384a9dff4b57512f3d1cc68e7e8383aaaadbd8588d4d55f5
                                  • Instruction ID: 6bdd0c24031e65af1bb83e80dbe2e3bb6674319255249ac8b849c9fe46f77251
                                  • Opcode Fuzzy Hash: 4573ba04ebc77884384a9dff4b57512f3d1cc68e7e8383aaaadbd8588d4d55f5
                                  • Instruction Fuzzy Hash: AE61D571240600BED610BF659D45F3B3AACEB85749F00857FF980B22E2DB7D99068B2D

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 205 402d48-402d96 GetTickCount GetModuleFileNameA call 405adb 208 402da2-402dd0 call 405f42 call 405921 call 405f42 GetFileSize 205->208 209 402d98-402d9d 205->209 217 402dd6 208->217 218 402ebd-402ecb call 402ce4 208->218 211 402f7a-402f7e 209->211 220 402ddb-402df2 217->220 224 402f20-402f25 218->224 225 402ecd-402ed0 218->225 222 402df4 220->222 223 402df6-402dff call 403170 220->223 222->223 231 402e05-402e0c 223->231 232 402f27-402f2f call 402ce4 223->232 224->211 227 402ed2-402eea call 403186 call 403170 225->227 228 402ef4-402f1e GlobalAlloc call 403186 call 402f81 225->228 227->224 254 402eec-402ef2 227->254 228->224 252 402f31-402f42 228->252 236 402e88-402e8c 231->236 237 402e0e-402e22 call 405a96 231->237 232->224 242 402e96-402e9c 236->242 243 402e8e-402e95 call 402ce4 236->243 237->242 251 402e24-402e2b 237->251 248 402eab-402eb5 242->248 249 402e9e-402ea8 call 406391 242->249 243->242 248->220 253 402ebb 248->253 249->248 251->242 258 402e2d-402e34 251->258 259 402f44 252->259 260 402f4a-402f4f 252->260 253->218 254->224 254->228 258->242 261 402e36-402e3d 258->261 259->260 262 402f50-402f56 260->262 261->242 263 402e3f-402e46 261->263 262->262 264 402f58-402f73 SetFilePointer call 405a96 262->264 263->242 265 402e48-402e68 263->265 268 402f78 264->268 265->224 267 402e6e-402e72 265->267 269 402e74-402e78 267->269 270 402e7a-402e82 267->270 268->211 269->253 269->270 270->242 271 402e84-402e86 270->271 271->242
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00402D59
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Rage.exe,00000400), ref: 00402D75
                                    • Part of subcall function 00405ADB: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405ADF
                                    • Part of subcall function 00405ADB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B01
                                  • GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rage.exe,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00402DC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                  • String ID: "C:\Users\user\Desktop\Rage.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Rage.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                  • API String ID: 4283519449-4189184754
                                  • Opcode ID: fd2093084ae6f2f361c09d7edbe045a2102e248848af7ed0038dbebb5adda0e8
                                  • Instruction ID: 431bbe5dcf390c8e3b41a4a2cddc22f4a4d5a60d02444a29ee6e72f21c3f1069
                                  • Opcode Fuzzy Hash: fd2093084ae6f2f361c09d7edbe045a2102e248848af7ed0038dbebb5adda0e8
                                  • Instruction Fuzzy Hash: F351E23194021AABDB109F65DE89B9F7BB8EB05354F10413BFA04B62D1D7BC8D818B9D

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 272 401759-40177c call 402ac1 call 405947 277 401786-401798 call 405f42 call 4058da lstrcatA 272->277 278 40177e-401784 call 405f42 272->278 283 40179d-4017a3 call 4061ac 277->283 278->283 288 4017a8-4017ac 283->288 289 4017ae-4017b8 call 406245 288->289 290 4017df-4017e2 288->290 297 4017ca-4017dc 289->297 298 4017ba-4017c8 CompareFileTime 289->298 292 4017e4-4017e5 call 405ab6 290->292 293 4017ea-401806 call 405adb 290->293 292->293 300 401808-40180b 293->300 301 40187e-4018a7 call 405069 call 402f81 293->301 297->290 298->297 303 401860-40186a call 405069 300->303 304 40180d-40184f call 405f42 * 2 call 405f64 call 405f42 call 40565e 300->304 314 4018a9-4018ad 301->314 315 4018af-4018bb SetFileTime 301->315 316 401873-401879 303->316 304->288 336 401855-401856 304->336 314->315 319 4018c1-4018cc CloseHandle 314->319 315->319 317 40295a 316->317 320 40295c-402960 317->320 322 402951-402954 319->322 323 4018d2-4018d5 319->323 322->317 325 4018d7-4018e8 call 405f64 lstrcatA 323->325 326 4018ea-4018ed call 405f64 323->326 332 4018f2-4022e6 call 40565e 325->332 326->332 332->320 332->322 336->316 338 401858-401859 336->338 338->303
                                  APIs
                                  • lstrcatA.KERNEL32(00000000,00000000,open,C:\ProgramData\wvtynvwe,00000000,00000000,00000031), ref: 00401798
                                  • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\ProgramData\wvtynvwe,00000000,00000000,00000031), ref: 004017C2
                                    • Part of subcall function 00405F42: lstrcpynA.KERNEL32(?,?,00000400,004032A0,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F4F
                                    • Part of subcall function 00405069: lstrlenA.KERNEL32(0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000,?), ref: 004050A2
                                    • Part of subcall function 00405069: lstrlenA.KERNEL32(004030B9,0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000), ref: 004050B2
                                    • Part of subcall function 00405069: lstrcatA.KERNEL32(0079ED20,004030B9,004030B9,0079ED20,00000000,00790475,759223A0), ref: 004050C5
                                    • Part of subcall function 00405069: SetWindowTextA.USER32(0079ED20,0079ED20), ref: 004050D7
                                    • Part of subcall function 00405069: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FD
                                    • Part of subcall function 00405069: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405117
                                    • Part of subcall function 00405069: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405125
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                  • String ID: C:\ProgramData\wvtynvwe$C:\ProgramData\wvtynvwe\clxs.a3x$open$open C:\ProgramData\wvtynvwe\AutoIt3.exe
                                  • API String ID: 1941528284-3126961360
                                  • Opcode ID: 0d43fd7dd8353952853e9013bf133ef40285121c9ea51c1581a1687533a7fe47
                                  • Instruction ID: dd9c0c15e66697baca7a35a40d3b20135c8550c1c4c1c20121428b1abfe738c2
                                  • Opcode Fuzzy Hash: 0d43fd7dd8353952853e9013bf133ef40285121c9ea51c1581a1687533a7fe47
                                  • Instruction Fuzzy Hash: 7041E531904516BACF10BBB5CC45DAF3679EF41328B20837BF522B20E1C67C8A419E6E

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 339 40626c-40628c GetSystemDirectoryA 340 406290-406292 339->340 341 40628e 339->341 342 4062a2-4062a4 340->342 343 406294-40629c 340->343 341->340 344 4062a5-4062d7 wsprintfA LoadLibraryExA 342->344 343->342 345 40629e-4062a0 343->345 345->344
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406283
                                  • wsprintfA.USER32 ref: 004062BC
                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                  • String ID: %s%s.dll$UXTHEME$\
                                  • API String ID: 2200240437-4240819195
                                  • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                  • Instruction ID: faee1f553c32e40c51e8eba8ef91b672ff9b85d18c2ea7a865910a86d6ce685a
                                  • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                  • Instruction Fuzzy Hash: 34F0F630500609ABEF14AB64DD0DFEB375CAB08304F1404BEA686F10C1EAB8D9258B68

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 346 402f81-402f95 347 402f97 346->347 348 402f9e-402fa7 346->348 347->348 349 402fb0-402fb5 348->349 350 402fa9 348->350 351 402fc5-402fd2 call 403170 349->351 352 402fb7-402fc0 call 403186 349->352 350->349 356 402fd8-402fdc 351->356 357 40315e 351->357 352->351 358 402fe2-403008 GetTickCount 356->358 359 403109-40310b 356->359 360 403160-403161 357->360 363 403166 358->363 364 40300e-403016 358->364 361 40314b-40314e 359->361 362 40310d-403110 359->362 365 403169-40316d 360->365 366 403150 361->366 367 403153-40315c call 403170 361->367 362->363 368 403112 362->368 363->365 369 403018 364->369 370 40301b-403029 call 403170 364->370 366->367 367->357 380 403163 367->380 373 403115-40311b 368->373 369->370 370->357 379 40302f-403038 370->379 376 40311d 373->376 377 40311f-40312d call 403170 373->377 376->377 377->357 383 40312f-403134 call 405b82 377->383 382 40303e-40305e call 4063ff 379->382 380->363 388 403101-403103 382->388 389 403064-403077 GetTickCount 382->389 387 403139-40313b 383->387 390 403105-403107 387->390 391 40313d-403147 387->391 388->360 392 403079-403081 389->392 393 4030bc-4030be 389->393 390->360 391->373 394 403149 391->394 395 403083-403087 392->395 396 403089-4030b9 MulDiv wsprintfA call 405069 392->396 397 4030c0-4030c4 393->397 398 4030f5-4030f9 393->398 394->363 395->393 395->396 396->393 401 4030c6-4030cd call 405b82 397->401 402 4030db-4030e6 397->402 398->364 399 4030ff 398->399 399->363 406 4030d2-4030d4 401->406 404 4030e9-4030ed 402->404 404->382 407 4030f3 404->407 406->390 408 4030d6-4030d9 406->408 407->363 408->404
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CountTick$wsprintf
                                  • String ID: ... %d%%
                                  • API String ID: 551687249-2449383134
                                  • Opcode ID: 395bbff9825787910bb7d588d8f06c8aea948aff440e28438afa561c5abaef61
                                  • Instruction ID: 4f4b31f3c2c8719a6221e0ae45b4e5efb49971fa938741557c66a7ddabd37736
                                  • Opcode Fuzzy Hash: 395bbff9825787910bb7d588d8f06c8aea948aff440e28438afa561c5abaef61
                                  • Instruction Fuzzy Hash: CE516E319012199BCB10DFA5DA44A9F7BB8EB08756F14413BF910BB2D0D7789F40CBA9

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 409 405b0a-405b14 410 405b15-405b40 GetTickCount GetTempFileNameA 409->410 411 405b42-405b44 410->411 412 405b4f-405b51 410->412 411->410 414 405b46 411->414 413 405b49-405b4c 412->413 414->413
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00405B1E
                                  • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CountFileNameTempTick
                                  • String ID: "C:\Users\user\Desktop\Rage.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                  • API String ID: 1716503409-1349086275
                                  • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                  • Instruction ID: bf28a9a74c6123c17d6ea431a1df647465e9dab3760c1a926ea6b161aa6db928
                                  • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                  • Instruction Fuzzy Hash: C8F082363042046BEB109F56DD04B9BBBADDFD1750F10803BFA489B280D6B4A9548B58

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 415 4015bb-4015ce call 402ac1 call 405973 420 4015d0-4015e3 call 405905 415->420 421 401624-401627 415->421 429 4015e5-4015e8 420->429 430 4015fb-4015fc call 4055ac 420->430 423 401652-40223c call 401423 421->423 424 401629-401644 call 401423 call 405f42 SetCurrentDirectoryA 421->424 437 402951-402960 423->437 438 402716-40271d 423->438 424->437 442 40164a-40164d 424->442 429->430 434 4015ea-4015f1 call 4055c9 429->434 436 401601-401603 430->436 434->430 446 4015f3-4015f9 call 40552f 434->446 443 401605-40160a 436->443 444 40161a-401622 436->444 438->437 442->437 448 401617 443->448 449 40160c-401615 GetFileAttributesA 443->449 444->420 444->421 446->436 448->444 449->444 449->448
                                  APIs
                                    • Part of subcall function 00405973: CharNextA.USER32(?,?,007A0948,?,004059DF,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405981
                                    • Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 00405986
                                    • Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 0040599A
                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                    • Part of subcall function 0040552F: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405572
                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\ProgramData\wvtynvwe,00000000,00000000,000000F0), ref: 0040163C
                                  Strings
                                  • C:\ProgramData\wvtynvwe, xrefs: 00401631
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                  • String ID: C:\ProgramData\wvtynvwe
                                  • API String ID: 1892508949-2371683539
                                  • Opcode ID: 4b67de153c8d73bd22696679ffb2b688d2c98a0fa6de6dd23771108c840cb84a
                                  • Instruction ID: f5f4b3145e6fc53207d119520a298daebfb9a90f2eaea5cdf5ae3df67ae6ba32
                                  • Opcode Fuzzy Hash: 4b67de153c8d73bd22696679ffb2b688d2c98a0fa6de6dd23771108c840cb84a
                                  • Instruction Fuzzy Hash: D711C831608156EBCF217B654D4157F26B09A92324B28057FE9D1B22E2D63D4D429A2E

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 401389-40138e 453 4013fa-4013fc 452->453 454 401390-4013a0 453->454 455 4013fe 453->455 454->455 456 4013a2-4013a3 call 401434 454->456 457 401400-401401 455->457 459 4013a8-4013ad 456->459 460 401404-401409 459->460 461 4013af-4013b7 call 40136d 459->461 460->457 464 4013b9-4013bb 461->464 465 4013bd-4013c2 461->465 466 4013c4-4013c9 464->466 465->466 466->453 467 4013cb-4013f4 MulDiv SendMessageA 466->467 467->453
                                  APIs
                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
                                  • Instruction ID: b093ac6dabfd3bf5cd98619b9c3e878c543c382afaa1261ab96434968757bf0e
                                  • Opcode Fuzzy Hash: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
                                  • Instruction Fuzzy Hash: C601F4316202209FE7094B389D04B6A36A8E751354F10813FF955F65F2D678CC028B4C

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 468 4062da-4062f4 GetModuleHandleA 469 406300-40630d GetProcAddress 468->469 470 4062f6-4062f7 call 40626c 468->470 472 406311-406313 469->472 473 4062fc-4062fe 470->473 473->469 474 40630f 473->474 474->472
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,00403241,0000000A), ref: 004062EC
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406307
                                    • Part of subcall function 0040626C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406283
                                    • Part of subcall function 0040626C: wsprintfA.USER32 ref: 004062BC
                                    • Part of subcall function 0040626C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062D0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                  • String ID:
                                  • API String ID: 2547128583-0
                                  • Opcode ID: 30985bc18176bda4dfc46ca2d396654736e9499ca8d22b71f2c1527f66d3312f
                                  • Instruction ID: 6d4d7ac2ac74d54284c03329a575cd53d6fd54091c86bc9b4f5055757ed92d74
                                  • Opcode Fuzzy Hash: 30985bc18176bda4dfc46ca2d396654736e9499ca8d22b71f2c1527f66d3312f
                                  • Instruction Fuzzy Hash: B0E0863260421057D21066715E04A3B72A89F84700302043EF946F2140DB389C3697AD

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 475 405adb-405b07 GetFileAttributesA CreateFileA
                                  APIs
                                  • GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405ADF
                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B01
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: File$AttributesCreate
                                  • String ID:
                                  • API String ID: 415043291-0
                                  • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                  • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                  • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                  • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 476 405ab6-405ac6 GetFileAttributesA 477 405ad5-405ad8 476->477 478 405ac8-405acf SetFileAttributesA 476->478 478->477
                                  APIs
                                  • GetFileAttributesA.KERNELBASE(?,?,004056CE,?,?,00000000,004058B1,?,?,?,?), ref: 00405ABB
                                  • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405ACF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                  • Instruction ID: aac931f15d2d7ee1e7e221b8fb91e87f1231b7c2176c4a2b53cffd82f2b4ddf1
                                  • Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                  • Instruction Fuzzy Hash: 63D0C972504121ABD2102728AE0889BBB55DB54271712CB35F8A9A26F1DB304C569AA8

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 479 4055ac-4055ba CreateDirectoryA 480 4055c0 GetLastError 479->480 481 4055bc-4055be 479->481 482 4055c6 480->482 481->482
                                  APIs
                                  • CreateDirectoryA.KERNELBASE(?,00000000,004031C1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 004055B2
                                  • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055C0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryErrorLast
                                  • String ID:
                                  • API String ID: 1375471231-0
                                  • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                  • Instruction ID: d679fad9c672f6a8ccfbb6da76b293a182284e12660a0008c2510280bf930a01
                                  • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                  • Instruction Fuzzy Hash: 34C04C70214601FED6515B319F09B1B7EE6EB90781F11843A6146E41F4DA348455D92E

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 496 405b53-405b6f ReadFile 497 405b71-405b74 496->497 498 405b7b 496->498 497->498 499 405b76-405b79 497->499 500 405b7d-405b7f 498->500 499->500
                                  APIs
                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403183,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B67
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                  • Instruction ID: b7d91c5420632eddea9312ae655271143aa9063ea302fc5b9ab1ab8bce17f77e
                                  • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                  • Instruction Fuzzy Hash: C3E0EC3221065EABDF109E559C40EEB7B6CFB053A0F008476FD25E3150E631F8219FA4
                                  APIs
                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403139,00000000,0078A0F8,000000FF,0078A0F8,000000FF,000000FF,00000004,00000000), ref: 00405B96
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                  • Instruction ID: dc12008b84dc55f9eae4749af390a7f63d9cada5657987a7308dd9f5849e87fb
                                  • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                  • Instruction Fuzzy Hash: D6E0EC3221065AABDF609E559C04AEB7B6CEB05360F004436F915E2150D675F921DBB8
                                  APIs
                                  • ShellExecuteExA.SHELL32(?,00401EBC,?), ref: 00405633
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID:
                                  • API String ID: 587946157-0
                                  • Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
                                  • Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
                                  • Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
                                  • Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 00403194
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                  • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                  • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                  • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                  APIs
                                  • CloseHandle.KERNEL32(FFFFFFFF,004034EF,?,?,00000006,00000008,0000000A), ref: 004036C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 1614ba02b2613583747f204f4b2df3f5a1e6ee72f31db953788cc790fd2339e2
                                  • Instruction ID: e5b7db38883734f5cd43fd9a982a580d4974862b55da1e12b5eb97a8bd040236
                                  • Opcode Fuzzy Hash: 1614ba02b2613583747f204f4b2df3f5a1e6ee72f31db953788cc790fd2339e2
                                  • Instruction Fuzzy Hash: 0BC01230500704A6C5706F759E4F9053A545B81735F500735F0B5B11F1CB7C665AA55E
                                  APIs
                                  • GetDlgItem.USER32(?,000003F9), ref: 004049FE
                                  • GetDlgItem.USER32(?,00000408), ref: 00404A09
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A53
                                  • LoadBitmapA.USER32(0000006E), ref: 00404A66
                                  • SetWindowLongA.USER32(?,000000FC,00404FDD), ref: 00404A7F
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A93
                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AA5
                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404ABB
                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AC7
                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AD9
                                  • DeleteObject.GDI32(00000000), ref: 00404ADC
                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B07
                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B13
                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BA8
                                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BD3
                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BE7
                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404C16
                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C24
                                  • ShowWindow.USER32(?,00000005), ref: 00404C35
                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D32
                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D97
                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DAC
                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DD0
                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DF0
                                  • ImageList_Destroy.COMCTL32(?), ref: 00404E05
                                  • GlobalFree.KERNEL32(?), ref: 00404E15
                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E8E
                                  • SendMessageA.USER32(?,00001102,?,?), ref: 00404F37
                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F46
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F66
                                  • ShowWindow.USER32(?,00000000), ref: 00404FB4
                                  • GetDlgItem.USER32(?,000003FE), ref: 00404FBF
                                  • ShowWindow.USER32(00000000), ref: 00404FC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                  • String ID: $M$N
                                  • API String ID: 1638840714-813528018
                                  • Opcode ID: 93a5dea554acafdd7f9fa93af182cc67e10ddeacb3b9749c107691ee74c0e35b
                                  • Instruction ID: feb09b03230ec9de5227bb28ba9f3f750fb888e87e2cf3f84613fbf0b179ef39
                                  • Opcode Fuzzy Hash: 93a5dea554acafdd7f9fa93af182cc67e10ddeacb3b9749c107691ee74c0e35b
                                  • Instruction Fuzzy Hash: FC028FB0900209EFEB149F68DD85AAE7BB5FB84315F10813AF610B62E1C7789D52DF58
                                  APIs
                                  • GetDlgItem.USER32(?,00000403), ref: 00405206
                                  • GetDlgItem.USER32(?,000003EE), ref: 00405215
                                  • GetClientRect.USER32(?,?), ref: 00405252
                                  • GetSystemMetrics.USER32(00000002), ref: 00405259
                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040527A
                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040528B
                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040529E
                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052AC
                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052BF
                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052E1
                                  • ShowWindow.USER32(?,00000008), ref: 004052F5
                                  • GetDlgItem.USER32(?,000003EC), ref: 00405316
                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405326
                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040533F
                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040534B
                                  • GetDlgItem.USER32(?,000003F8), ref: 00405224
                                    • Part of subcall function 00404038: SendMessageA.USER32(00000028,?,00000001,00403E68), ref: 00404046
                                  • GetDlgItem.USER32(?,000003EC), ref: 00405367
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000513B,00000000), ref: 00405375
                                  • CloseHandle.KERNEL32(00000000), ref: 0040537C
                                  • ShowWindow.USER32(00000000), ref: 0040539F
                                  • ShowWindow.USER32(?,00000008), ref: 004053A6
                                  • ShowWindow.USER32(00000008), ref: 004053EC
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405420
                                  • CreatePopupMenu.USER32 ref: 00405431
                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405446
                                  • GetWindowRect.USER32(?,000000FF), ref: 00405466
                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040547F
                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054BB
                                  • OpenClipboard.USER32(00000000), ref: 004054CB
                                  • EmptyClipboard.USER32 ref: 004054D1
                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 004054DA
                                  • GlobalLock.KERNEL32(00000000), ref: 004054E4
                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054F8
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405511
                                  • SetClipboardData.USER32(00000001,00000000), ref: 0040551C
                                  • CloseClipboard.USER32 ref: 00405522
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                  • String ID:
                                  • API String ID: 590372296-0
                                  • Opcode ID: 5bb85f9fd3fc5e549709c94d4a210579cba1b9e23c5744368082747204fdc146
                                  • Instruction ID: 09962e5fca3f90e9578524edcc49537ab2d17e1ad14151c73511ea412a4409f5
                                  • Opcode Fuzzy Hash: 5bb85f9fd3fc5e549709c94d4a210579cba1b9e23c5744368082747204fdc146
                                  • Instruction Fuzzy Hash: 47A17B70900608BFDF119FA4DE89EAE7BB9FB48344F10402AFA41B61A1C7794E51DF68
                                  APIs
                                  • GetDlgItem.USER32(?,000003FB), ref: 004044C2
                                  • SetWindowTextA.USER32(00000000,?), ref: 004044EC
                                  • SHBrowseForFolderA.SHELL32(?,0079E918,?), ref: 0040459D
                                  • CoTaskMemFree.OLE32(00000000), ref: 004045A8
                                  • lstrcmpiA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,0079F540), ref: 004045DA
                                  • lstrcatA.KERNEL32(?,open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004045E6
                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045F8
                                    • Part of subcall function 00405642: GetDlgItemTextA.USER32(?,?,00000400,0040462F), ref: 00405655
                                    • Part of subcall function 004061AC: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406204
                                    • Part of subcall function 004061AC: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406211
                                    • Part of subcall function 004061AC: CharNextA.USER32(?,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406216
                                    • Part of subcall function 004061AC: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406226
                                  • GetDiskFreeSpaceA.KERNEL32(0079E510,?,?,0000040F,?,0079E510,0079E510,?,00000001,0079E510,?,?,000003FB,?), ref: 004046B6
                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046D1
                                    • Part of subcall function 0040482A: lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404745,000000DF,00000000,00000400,?), ref: 004048C8
                                    • Part of subcall function 0040482A: wsprintfA.USER32 ref: 004048D0
                                    • Part of subcall function 0040482A: SetDlgItemTextA.USER32(?,0079F540), ref: 004048E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                  • String ID: A$C:\ProgramData\wvtynvwe$open C:\ProgramData\wvtynvwe\AutoIt3.exe
                                  • API String ID: 2624150263-3232468740
                                  • Opcode ID: 3c0359a4e2499cb1b58791620b1c2069b725a9ac35f7ca23850945cc9ffa1be5
                                  • Instruction ID: a2e4fbb223646fa704944566a3391d0c17d9cbc2cbed741d1673875fbf363f5e
                                  • Opcode Fuzzy Hash: 3c0359a4e2499cb1b58791620b1c2069b725a9ac35f7ca23850945cc9ffa1be5
                                  • Instruction Fuzzy Hash: C6A16EB1900209ABDB11EFA5CD41AAFB7B8EF85314F10843BF701B62D1D77C8A418B69
                                  APIs
                                  • DeleteFileA.KERNEL32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405733
                                  • lstrcatA.KERNEL32(007A0548,\*.*,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040577B
                                  • lstrcatA.KERNEL32(?,0040A014,?,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040579C
                                  • lstrlenA.KERNEL32(?,?,0040A014,?,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A2
                                  • FindFirstFileA.KERNEL32(007A0548,?,?,?,0040A014,?,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057B3
                                  • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405860
                                  • FindClose.KERNEL32(00000000), ref: 00405871
                                  Strings
                                  • \*.*, xrefs: 00405775
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405717
                                  • "C:\Users\user\Desktop\Rage.exe", xrefs: 0040570A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                  • String ID: "C:\Users\user\Desktop\Rage.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                  • API String ID: 2035342205-2828151234
                                  • Opcode ID: bac28e60cfd6598e6d244b6c6dd5f2b57952399981f623fc13e4ff0d7e2d0873
                                  • Instruction ID: d13e86c599d1992239359fe06af11ecde70b93afebcb442c30f9b7feac53d967
                                  • Opcode Fuzzy Hash: bac28e60cfd6598e6d244b6c6dd5f2b57952399981f623fc13e4ff0d7e2d0873
                                  • Instruction Fuzzy Hash: 82519131800A04AADB217B658C45BBF7BB8DF42754F24807FF851721D1D73C8952DEAA
                                  APIs
                                  • CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC
                                  Strings
                                  • C:\ProgramData\wvtynvwe, xrefs: 0040218D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID: C:\ProgramData\wvtynvwe
                                  • API String ID: 123533781-2371683539
                                  • Opcode ID: a26c2beb0f30681b548f380fb14fd97755e4f2b8dcf256f461589d36fb4f9269
                                  • Instruction ID: cf8f7130570b1b92896c88b61f7317bf39c47c02c96b55d236e0d8f8a2b8e87b
                                  • Opcode Fuzzy Hash: a26c2beb0f30681b548f380fb14fd97755e4f2b8dcf256f461589d36fb4f9269
                                  • Instruction Fuzzy Hash: F95136B5A00208BFCF10DFE4C988A9DBBB5EF48314F2041AAF915EB2D1DA799941CF54
                                  APIs
                                  • FindFirstFileA.KERNEL32(75923410,007A0D90,007A0948,00405A0B,007A0948,007A0948,00000000,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00406250
                                  • FindClose.KERNEL32(00000000), ref: 0040625C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2295610775-0
                                  • Opcode ID: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
                                  • Instruction ID: 33d6f2eefb205aa3b7ff26f6f1897bb94b895816ac4b0862ae3820c4f049c28d
                                  • Opcode Fuzzy Hash: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
                                  • Instruction Fuzzy Hash: F0D012329091205BC21067786E0C84B7A589F46370B214B7AB4AAF15E0C6388C6287E9
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 2bd42633c05d02f52777b451ddda99a2743e6e135658162a4d387a3c6b531069
                                  • Instruction ID: e695779f9ce9b998070782fd5a459e3569f6455c2d57c993d98b78b2031c355d
                                  • Opcode Fuzzy Hash: 2bd42633c05d02f52777b451ddda99a2743e6e135658162a4d387a3c6b531069
                                  • Instruction Fuzzy Hash: 8DF0A0726041119AD701E7B49D49AEEB768DB21324F60017BE695E20C2C6B88A469B2A
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B6B
                                  • ShowWindow.USER32(?), ref: 00403B88
                                  • DestroyWindow.USER32 ref: 00403B9C
                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BB8
                                  • GetDlgItem.USER32(?,?), ref: 00403BD9
                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BED
                                  • IsWindowEnabled.USER32(00000000), ref: 00403BF4
                                  • GetDlgItem.USER32(?,00000001), ref: 00403CA2
                                  • GetDlgItem.USER32(?,00000002), ref: 00403CAC
                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403CC6
                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D17
                                  • GetDlgItem.USER32(?,00000003), ref: 00403DBD
                                  • ShowWindow.USER32(00000000,?), ref: 00403DDE
                                  • EnableWindow.USER32(?,?), ref: 00403DF0
                                  • EnableWindow.USER32(?,?), ref: 00403E0B
                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E21
                                  • EnableMenuItem.USER32(00000000), ref: 00403E28
                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E40
                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E53
                                  • lstrlenA.KERNEL32(0079F540,?,0079F540,00000000), ref: 00403E7D
                                  • SetWindowTextA.USER32(?,0079F540), ref: 00403E8C
                                  • ShowWindow.USER32(?,0000000A), ref: 00403FC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                  • String ID:
                                  • API String ID: 184305955-0
                                  • Opcode ID: 7f76a5b8156c78a94673a487ddb43565ec2e9110f562ab6c46483f56c2dcbdcf
                                  • Instruction ID: b3be4a8df41bbb1a34e3297708249d174a72e40218f8278c8686e9c74d2bf613
                                  • Opcode Fuzzy Hash: 7f76a5b8156c78a94673a487ddb43565ec2e9110f562ab6c46483f56c2dcbdcf
                                  • Instruction Fuzzy Hash: 8CC1E071504205AFEB216F25ED89E2B3ABDEB85306F00443EF641B11F1CB3D9A529B6D
                                  APIs
                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041D7
                                  • GetDlgItem.USER32(00000000,000003E8), ref: 004041EB
                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404209
                                  • GetSysColor.USER32(?), ref: 0040421A
                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404229
                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404238
                                  • lstrlenA.KERNEL32(?), ref: 0040423B
                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040424A
                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040425F
                                  • GetDlgItem.USER32(?,0000040A), ref: 004042C1
                                  • SendMessageA.USER32(00000000), ref: 004042C4
                                  • GetDlgItem.USER32(?,000003E8), ref: 004042EF
                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040432F
                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0040433E
                                  • SetCursor.USER32(00000000), ref: 00404347
                                  • LoadCursorA.USER32(00000000,00007F00), ref: 0040435D
                                  • SetCursor.USER32(00000000), ref: 00404360
                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040438C
                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                  • String ID: N$open C:\ProgramData\wvtynvwe\AutoIt3.exe
                                  • API String ID: 3103080414-3750366646
                                  • Opcode ID: 3fdeaefca53a56e234a94c61e234fdb8f55c9ed1e1da13f1627204f87759fe70
                                  • Instruction ID: fe94f9ee99578da6acd451f42b216120b5917c0b2e2c3b2ca95fb8a58add93f4
                                  • Opcode Fuzzy Hash: 3fdeaefca53a56e234a94c61e234fdb8f55c9ed1e1da13f1627204f87759fe70
                                  • Instruction Fuzzy Hash: 3E61A5B1A40209BFEB109F61DD45F6A7B79FB84704F10802AFB04BA2D1D778A951CF98
                                  APIs
                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                  • BeginPaint.USER32(?,?), ref: 00401047
                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                  • DeleteObject.GDI32(?), ref: 004010ED
                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                  • DrawTextA.USER32(00000000,007A2740,000000FF,00000010,00000820), ref: 00401156
                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                  • DeleteObject.GDI32(?), ref: 00401165
                                  • EndPaint.USER32(?,?), ref: 0040116E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                  • String ID: F
                                  • API String ID: 941294808-1304234792
                                  • Opcode ID: 5d259313e85fbaf708a0b03883ff4ad94c3fd8dcebbcebd210a7d21844077b3d
                                  • Instruction ID: 38fadef1db352f82975619da7fddedca022a80716c75150ab5a709db8b4f24fa
                                  • Opcode Fuzzy Hash: 5d259313e85fbaf708a0b03883ff4ad94c3fd8dcebbcebd210a7d21844077b3d
                                  • Instruction Fuzzy Hash: CB416C71800249AFCB058F95DE459AFBBB9FF45314F00802EF9A1AA1A0C778DA55DFA4
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D42,?,?), ref: 00405BE2
                                  • GetShortPathNameA.KERNEL32(?,007A12D0,00000400), ref: 00405BEB
                                    • Part of subcall function 00405A40: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A50
                                    • Part of subcall function 00405A40: lstrlenA.KERNEL32(00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A82
                                  • GetShortPathNameA.KERNEL32(?,007A16D0,00000400), ref: 00405C08
                                  • wsprintfA.USER32 ref: 00405C26
                                  • GetFileSize.KERNEL32(00000000,00000000,007A16D0,C0000000,00000004,007A16D0,?,?,?,?,?), ref: 00405C61
                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C70
                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA8
                                  • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED0,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFE
                                  • GlobalFree.KERNEL32(00000000), ref: 00405D0F
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D16
                                    • Part of subcall function 00405ADB: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405ADF
                                    • Part of subcall function 00405ADB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B01
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                  • String ID: %s=%s$[Rename]
                                  • API String ID: 2171350718-1727408572
                                  • Opcode ID: 36d44f5c9853182170fdc09cfff86aa36828fe8a00fb97525ec3968d79f5ff8e
                                  • Instruction ID: 637a3d628f16c5af013d2b0d1efa584cc5f297bc3ade19b8e2238539b1010773
                                  • Opcode Fuzzy Hash: 36d44f5c9853182170fdc09cfff86aa36828fe8a00fb97525ec3968d79f5ff8e
                                  • Instruction Fuzzy Hash: E6311231205B157BD2203B659D48F6B3A6CDF85754F28053AFA01F62D2EA3CE8018EBD
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000400), ref: 0040608F
                                  • GetWindowsDirectoryA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000400,?,0079ED20,00000000,004050A1,0079ED20,00000000), ref: 004060A2
                                  • SHGetSpecialFolderLocation.SHELL32(004050A1,759223A0,?,0079ED20,00000000,004050A1,0079ED20,00000000), ref: 004060DE
                                  • SHGetPathFromIDListA.SHELL32(759223A0,open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004060EC
                                  • CoTaskMemFree.OLE32(759223A0), ref: 004060F8
                                  • lstrcatA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040611C
                                  • lstrlenA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,0079ED20,00000000,004050A1,0079ED20,00000000,00000000,00790475,759223A0), ref: 0040616E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                  • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open C:\ProgramData\wvtynvwe\AutoIt3.exe
                                  • API String ID: 717251189-2195795450
                                  • Opcode ID: 4550c8ed14394774286f8022b57fa57a0b33301bca964282d4e54840fc3ca20a
                                  • Instruction ID: 657cab0ace126491ae758d46bb2980ba0dc5c343891863a13133d2e564576f3a
                                  • Opcode Fuzzy Hash: 4550c8ed14394774286f8022b57fa57a0b33301bca964282d4e54840fc3ca20a
                                  • Instruction Fuzzy Hash: 87611471900111AFEF109F68DC85BBA3BA4AB46314F12413FE943BA2D2C77D4962CB4E
                                  APIs
                                  • lstrlenA.KERNEL32(0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000,?), ref: 004050A2
                                  • lstrlenA.KERNEL32(004030B9,0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000), ref: 004050B2
                                  • lstrcatA.KERNEL32(0079ED20,004030B9,004030B9,0079ED20,00000000,00790475,759223A0), ref: 004050C5
                                  • SetWindowTextA.USER32(0079ED20,0079ED20), ref: 004050D7
                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FD
                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405117
                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405125
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                  • String ID: y
                                  • API String ID: 2531174081-1062152503
                                  • Opcode ID: df9fa322c0453a065a888b8f71298073a1822c311b4ca3682e0548b8907b6f01
                                  • Instruction ID: 89683e74244f30e825ec863f7a89f7bffe3770603979b342a6609b7659f93117
                                  • Opcode Fuzzy Hash: df9fa322c0453a065a888b8f71298073a1822c311b4ca3682e0548b8907b6f01
                                  • Instruction Fuzzy Hash: F5218C71900518BACF119FA5DD84A9FBFA9EB09354F14807AF544AA290C7788A40CFA8
                                  APIs
                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406204
                                  • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406211
                                  • CharNextA.USER32(?,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406216
                                  • CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406226
                                  Strings
                                  • *?|<>/":, xrefs: 004061F4
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004061AD
                                  • "C:\Users\user\Desktop\Rage.exe", xrefs: 004061E8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Char$Next$Prev
                                  • String ID: "C:\Users\user\Desktop\Rage.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 589700163-3651791744
                                  • Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                                  • Instruction ID: bdcb7cc7c91d871583b49daff1dd0f9603b265494e114170260e43a32c5c6c09
                                  • Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                                  • Instruction Fuzzy Hash: BB1108618047A129EB3226245C44B7B7FC88F577A0F1A00BFE4D6762C3C67C5C628A6D
                                  APIs
                                  • GetWindowLongA.USER32(?,000000EB), ref: 00404087
                                  • GetSysColor.USER32(00000000), ref: 004040A3
                                  • SetTextColor.GDI32(?,00000000), ref: 004040AF
                                  • SetBkMode.GDI32(?,?), ref: 004040BB
                                  • GetSysColor.USER32(?), ref: 004040CE
                                  • SetBkColor.GDI32(?,?), ref: 004040DE
                                  • DeleteObject.GDI32(?), ref: 004040F8
                                  • CreateBrushIndirect.GDI32(?), ref: 00404102
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                  • String ID:
                                  • API String ID: 2320649405-0
                                  • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                  • Instruction ID: e72f94c4e22ee448d473b15cc8768ff49957eee448288f542271c02bb7392c6c
                                  • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                  • Instruction Fuzzy Hash: 2E218471500704ABC7319F68DD08B4BBBF8AF41714F048939EA95F66A0D734E944CB54
                                  APIs
                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040494F
                                  • GetMessagePos.USER32 ref: 00404957
                                  • ScreenToClient.USER32(?,?), ref: 00404971
                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404983
                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Message$Send$ClientScreen
                                  • String ID: f
                                  • API String ID: 41195575-1993550816
                                  • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                  • Instruction ID: 9f87d1f96637cd95e02eacff83315fbabeb05544dbb8078b13e3fe085f54f252
                                  • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                  • Instruction Fuzzy Hash: 54015275900219BAEB10DBA4DD45BFFBBBCAF55711F10412BBA50B61C0C7B459018BA5
                                  APIs
                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
                                  • MulDiv.KERNEL32(001562AE,00000064,001562B2), ref: 00402CA7
                                  • wsprintfA.USER32 ref: 00402CB7
                                  • SetWindowTextA.USER32(?,?), ref: 00402CC7
                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9
                                  Strings
                                  • verifying installer: %d%%, xrefs: 00402CB1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Text$ItemTimerWindowwsprintf
                                  • String ID: verifying installer: %d%%
                                  • API String ID: 1451636040-82062127
                                  • Opcode ID: eef9a404b70e8a65b08e01be9a087e60fbea96a6756cd33d7edc079d4ddd97f4
                                  • Instruction ID: e89b30bbe7a1ffbacd4e8467669da5a94a5c2e7b600bd1dad6d6b5a2d11bc3bf
                                  • Opcode Fuzzy Hash: eef9a404b70e8a65b08e01be9a087e60fbea96a6756cd33d7edc079d4ddd97f4
                                  • Instruction Fuzzy Hash: 0601177054020DFBEF249F61DD4AEEE3769EB04304F008039FA06B92D0DBB999558F59
                                  APIs
                                  • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405572
                                  • GetLastError.KERNEL32 ref: 00405586
                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040559B
                                  • GetLastError.KERNEL32 ref: 004055A5
                                  Strings
                                  • C:\Users\user\Desktop, xrefs: 0040552F
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405555
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                  • API String ID: 3449924974-1521822154
                                  • Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                  • Instruction ID: 376828453cd42821b5cd8262128f85d8abda27f03043a04a3675b82aceba1981
                                  • Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                  • Instruction Fuzzy Hash: 5A010871D10219EADF009BA1DD04BEFBBB9EB04355F00803AD544B6290E7789608CFA9
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                                  • GlobalFree.KERNEL32(?), ref: 004027E5
                                  • GlobalFree.KERNEL32(00000000), ref: 004027F8
                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                  • String ID:
                                  • API String ID: 2667972263-0
                                  • Opcode ID: b45102d8d3259269e52f498ae29a62b13b390da9ee7db00c21edc77376252bc5
                                  • Instruction ID: 890f56038aeb86756f8426a045e697074279617aee550660c002ceda6b1f970f
                                  • Opcode Fuzzy Hash: b45102d8d3259269e52f498ae29a62b13b390da9ee7db00c21edc77376252bc5
                                  • Instruction Fuzzy Hash: 76219F71C00124BBCF216FA5DE49D9E7A79EF05364F14423AF924762E1CA794D418FA8
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402028
                                    • Part of subcall function 00405069: lstrlenA.KERNEL32(0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000,?), ref: 004050A2
                                    • Part of subcall function 00405069: lstrlenA.KERNEL32(004030B9,0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000), ref: 004050B2
                                    • Part of subcall function 00405069: lstrcatA.KERNEL32(0079ED20,004030B9,004030B9,0079ED20,00000000,00790475,759223A0), ref: 004050C5
                                    • Part of subcall function 00405069: SetWindowTextA.USER32(0079ED20,0079ED20), ref: 004050D7
                                    • Part of subcall function 00405069: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FD
                                    • Part of subcall function 00405069: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405117
                                    • Part of subcall function 00405069: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405125
                                  • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402038
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                                  • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                  • String ID: /z
                                  • API String ID: 2987980305-1190999251
                                  • Opcode ID: 199b9ca66f2f3be16db449d9886261fcca56c35d48349b9125478b6062e0a185
                                  • Instruction ID: ff4e9d8d41e245f71de90d7843dd5b4391991aa6675031779f7ddf1c1e2711a8
                                  • Opcode Fuzzy Hash: 199b9ca66f2f3be16db449d9886261fcca56c35d48349b9125478b6062e0a185
                                  • Instruction Fuzzy Hash: 5F21C971604215A7CF207FA58E49B5E7660AB45354F20413FF711B21D1CBBD4942965E
                                  APIs
                                  • GetDC.USER32(?), ref: 00401D98
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                  • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                  • CreateFontIndirectA.GDI32(0040B7F0), ref: 00401E1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                  • String ID:
                                  • API String ID: 3808545654-0
                                  • Opcode ID: 307c2f7223b588f157dad04ceaa6757d338b1b0beccffd4f2c8b683e5c007d1d
                                  • Instruction ID: 32ee968f6fa2a45aa154ac920770c0068bb4b7ad8556ade5f6a0693a6ec5f363
                                  • Opcode Fuzzy Hash: 307c2f7223b588f157dad04ceaa6757d338b1b0beccffd4f2c8b683e5c007d1d
                                  • Instruction Fuzzy Hash: 17019E72944645AFE7406BB1AE4AB9A3FF8EB55305F108439F241BA2F2CB7804058F7D
                                  APIs
                                  • GetDlgItem.USER32(?), ref: 00401D3F
                                  • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                  • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                  • DeleteObject.GDI32(00000000), ref: 00401D8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                  • String ID:
                                  • API String ID: 1849352358-0
                                  • Opcode ID: 5170087556e431b5de60660a5e52828f9803fa97d1a281977de149f3ddbae3c9
                                  • Instruction ID: 3a9f69e16af6b344df11f7afd522e3a5d0d390235353beccb8f2623f7f64b8ac
                                  • Opcode Fuzzy Hash: 5170087556e431b5de60660a5e52828f9803fa97d1a281977de149f3ddbae3c9
                                  • Instruction Fuzzy Hash: 79F0FFB2600515BFDB01EBA4DE88DAFB7BCEB44301B04446AF645F2191CA748D018B38
                                  APIs
                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: MessageSend$Timeout
                                  • String ID: !
                                  • API String ID: 1777923405-2657877971
                                  • Opcode ID: 41634464237ffc4a490c33a013805357df40b2c394da3d94f718f411ee4b7c5f
                                  • Instruction ID: 47ba27bed09b34a83addf96e827a594e01ed27391bdeb3cad423947a258da186
                                  • Opcode Fuzzy Hash: 41634464237ffc4a490c33a013805357df40b2c394da3d94f718f411ee4b7c5f
                                  • Instruction Fuzzy Hash: 13218F71A44209BEEB05DFA5D946AED7BB0EB84304F14803EF505F61E1DA7889408F28
                                  APIs
                                  • lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404745,000000DF,00000000,00000400,?), ref: 004048C8
                                  • wsprintfA.USER32 ref: 004048D0
                                  • SetDlgItemTextA.USER32(?,0079F540), ref: 004048E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: ItemTextlstrlenwsprintf
                                  • String ID: %u.%u%s%s
                                  • API String ID: 3540041739-3551169577
                                  • Opcode ID: 9b343dceee09ed7e7f6ed0b0987783c5ae876ff08b8d7c4f564122da271ac9eb
                                  • Instruction ID: d40bf1ec6497005f72ea1027000651d0cda96484cb7ea430e24c6b5614f4196a
                                  • Opcode Fuzzy Hash: 9b343dceee09ed7e7f6ed0b0987783c5ae876ff08b8d7c4f564122da271ac9eb
                                  • Instruction Fuzzy Hash: 6A11E77760452827DB00757D9C45EAF3288DB86374F25463BFA25F61D1E978CC1281E8
                                  APIs
                                  • lstrlenA.KERNEL32(C:\ProgramData\wvtynvwe\clxs.a3x,00000023,?,00000000,00000002,00000011,00000002), ref: 0040241B
                                  • RegSetValueExA.ADVAPI32(?,?,?,?,C:\ProgramData\wvtynvwe\clxs.a3x,00000000,?,00000000,00000002,00000011,00000002), ref: 00402458
                                  • RegCloseKey.ADVAPI32(?,?,?,C:\ProgramData\wvtynvwe\clxs.a3x,00000000,?,00000000,00000002,00000011,00000002), ref: 0040253C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CloseValuelstrlen
                                  • String ID: C:\ProgramData\wvtynvwe\clxs.a3x
                                  • API String ID: 2655323295-3552521189
                                  • Opcode ID: 95db2493a43c4bc9c0e441acb49331a876144abc02b3507964f67482ed42c715
                                  • Instruction ID: da24eaaec51cc95816ca64b213a576443ad0086fe66887fe7dbf5dd976a128c9
                                  • Opcode Fuzzy Hash: 95db2493a43c4bc9c0e441acb49331a876144abc02b3507964f67482ed42c715
                                  • Instruction Fuzzy Hash: 99115171E00215BEDF10FFA5DE89AAEBA74EB54754F20403BF908F61D1CAB84D419B29
                                  APIs
                                    • Part of subcall function 00405F42: lstrcpynA.KERNEL32(?,?,00000400,004032A0,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F4F
                                    • Part of subcall function 00405973: CharNextA.USER32(?,?,007A0948,?,004059DF,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405981
                                    • Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 00405986
                                    • Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 0040599A
                                  • lstrlenA.KERNEL32(007A0948,00000000,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A1B
                                  • GetFileAttributesA.KERNEL32(007A0948,007A0948,007A0948,007A0948,007A0948,007A0948,00000000,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405A2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\$Hz
                                  • API String ID: 3248276644-1641514571
                                  • Opcode ID: c9df4ada7f727d87a35fee49361aeb73f7da85869d5f85a71a166c7ad75332dd
                                  • Instruction ID: 5f745b3ca97bfd8df9e0b525eb7d85b75c6d739f83cdbb59465524be199bd04b
                                  • Opcode Fuzzy Hash: c9df4ada7f727d87a35fee49361aeb73f7da85869d5f85a71a166c7ad75332dd
                                  • Instruction Fuzzy Hash: 8CF0C875205D5156D622323A1C46B9F1745CE87378716463BF8A1B12D3DA3C88139DBE
                                  APIs
                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031BB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 004058E0
                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031BB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 004058E9
                                  • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004058FA
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004058DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrcatlstrlen
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 2659869361-823278215
                                  • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                  • Instruction ID: eba76a58ea1ff6bfef612508d9b3474851936f6545664b5d745be25ef5a18ef4
                                  • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                  • Instruction Fuzzy Hash: F9D0A9A2201A316AD21237158C09ECB2A0CCF06340B050076F308B21A1CA3C0E428BFE
                                  APIs
                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                                  • RegCloseKey.ADVAPI32(?), ref: 00402C22
                                  • RegCloseKey.ADVAPI32(?), ref: 00402C43
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Close$Enum
                                  • String ID:
                                  • API String ID: 464197530-0
                                  • Opcode ID: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
                                  • Instruction ID: fed2cd56577fe7b035228b0b929bbd134fccf085ba74c4e7284a1f4fa6732296
                                  • Opcode Fuzzy Hash: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
                                  • Instruction Fuzzy Hash: 96118832500119BBEF01AF91CF09F9E3B79EF18341F104036BA05B50E0E7B4EE51AAA8
                                  APIs
                                  • DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
                                  • GetTickCount.KERNEL32 ref: 00402D15
                                  • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
                                  • ShowWindow.USER32(00000000,00000005), ref: 00402D40
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                  • String ID:
                                  • API String ID: 2102729457-0
                                  • Opcode ID: b2f7b9a99862a26ec52413e932bcd24799532df146b5b51e48da17ed45f9cf5d
                                  • Instruction ID: 2d9097a6a3a823d92573342c87c8e140217056fb4289b76a45e4b4044a0a9852
                                  • Opcode Fuzzy Hash: b2f7b9a99862a26ec52413e932bcd24799532df146b5b51e48da17ed45f9cf5d
                                  • Instruction Fuzzy Hash: 6DF05E30401621EBC6206B28BFCEE8E7B74BB45B02712457BF459B11F8DB7C48868B9C
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 0040500C
                                  • CallWindowProcA.USER32(?,?,?,?), ref: 0040505D
                                    • Part of subcall function 0040404F: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404061
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Window$CallMessageProcSendVisible
                                  • String ID:
                                  • API String ID: 3748168415-3916222277
                                  • Opcode ID: 6250ec76a35d91786fe0f3bbb491aaaf262455cd01ad0a4232066028cfa3f1df
                                  • Instruction ID: b168498847f37538db73494297a7dd182b81320d309b40d671ad71c289bb08e9
                                  • Opcode Fuzzy Hash: 6250ec76a35d91786fe0f3bbb491aaaf262455cd01ad0a4232066028cfa3f1df
                                  • Instruction Fuzzy Hash: DA0171B1100609AFEF205F21DD85AAF3A26EB84754F144037F601B62D3C77E8C929E9D
                                  APIs
                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,open C:\ProgramData\wvtynvwe\AutoIt3.exe,0079ED20,?,?,?,00000002,open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,0040606D,80000002), ref: 00405E6F
                                  • RegCloseKey.ADVAPI32(?,?,0040606D,80000002,Software\Microsoft\Windows\CurrentVersion,open C:\ProgramData\wvtynvwe\AutoIt3.exe,open C:\ProgramData\wvtynvwe\AutoIt3.exe,open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,0079ED20), ref: 00405E7A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CloseQueryValue
                                  • String ID: open C:\ProgramData\wvtynvwe\AutoIt3.exe
                                  • API String ID: 3356406503-1147314467
                                  • Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
                                  • Instruction ID: a652aa08729c3d21628c8661c06e1e1b2c4f4dfec8f44bbca4e9ccaac311a026
                                  • Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
                                  • Instruction Fuzzy Hash: 1E019A72500609AADF228F20CC09FDB3FA8EF05360F00802AF945A21A0D378DA14CBA8
                                  APIs
                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D48,Error launching installer), ref: 0040560A
                                  • CloseHandle.KERNEL32(?), ref: 00405617
                                  Strings
                                  • Error launching installer, xrefs: 004055F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CloseCreateHandleProcess
                                  • String ID: Error launching installer
                                  • API String ID: 3712363035-66219284
                                  • Opcode ID: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
                                  • Instruction ID: 62883942ff3fec4e096c12bfbc0e4171e63133af1454ac2aa76c170e6ce59af3
                                  • Opcode Fuzzy Hash: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
                                  • Instruction Fuzzy Hash: 4DE046F1600209BFEB009FA0ED09F7F7AACEB40744F408820BD14F6190D679A8008AB8
                                  APIs
                                  • FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,004036D5,004034EF,?,?,00000006,00000008,0000000A), ref: 00403717
                                  • GlobalFree.KERNEL32(00000000), ref: 0040371E
                                  Strings
                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004036FD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: Free$GlobalLibrary
                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                  • API String ID: 1100898210-823278215
                                  • Opcode ID: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
                                  • Instruction ID: c0f64fe77bbbc42f413017ec02fd14b49542df8adbdba9c58a8dfc12e9d6b7a7
                                  • Opcode Fuzzy Hash: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
                                  • Instruction Fuzzy Hash: 7DE0C2334011209BC621AF04EE0872E777CAF89B23F06842BF8407B36087781C524BCC
                                  APIs
                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rage.exe,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405927
                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rage.exe,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405935
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: CharPrevlstrlen
                                  • String ID: C:\Users\user\Desktop
                                  • API String ID: 2709904686-1246513382
                                  • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                  • Instruction ID: 699ee4e888cd28ae38f9bca6902325149b4c823d91dd7122b0a75dbe1f7ac172
                                  • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                  • Instruction Fuzzy Hash: BED0C7F2409DB0AEE7036314DC04B9F6A48DF16750F1A0466E181A61A5C67C4D424BBD
                                  APIs
                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A50
                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A68
                                  • CharNextA.USER32(00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A79
                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2068272459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2068249859.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068294850.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068313129.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2068650646.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_Rage.jbxd
                                  Similarity
                                  • API ID: lstrlen$CharNextlstrcmpi
                                  • String ID:
                                  • API String ID: 190613189-0
                                  • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                  • Instruction ID: 7766273d4772ca776c7068fad2e72d6e4ea3cdc9eabdeecb7889bf38aa2ec68c
                                  • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                  • Instruction Fuzzy Hash: F8F0F631200918BFC702DFA5CD40DAEBBA8EF06350B2541B9E844F7210D634EE019FA9

                                  Execution Graph

                                  Execution Coverage:3.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:1.7%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:66
                                  execution_graph 99338 f5f595 99341 f5ca50 99338->99341 99342 f5ca6b 99341->99342 99343 fa14af 99342->99343 99344 fa1461 99342->99344 99369 f5ca90 99342->99369 99383 fd61ff 99343->99383 99347 fa146b 99344->99347 99350 fa1478 99344->99350 99344->99369 99372 fd6690 99347->99372 99366 f5cd60 99350->99366 99422 fd6b2d 366 API calls 2 library calls 99350->99422 99353 fa1742 99353->99353 99356 f5cd8e 99358 fa168b 99424 fd6569 81 API calls 99358->99424 99361 f5bdc1 39 API calls 99361->99369 99363 f5b3fe 8 API calls 99363->99369 99365 f5cf30 39 API calls 99365->99369 99366->99356 99425 fc3ef6 81 API calls __wsopen_s 99366->99425 99367 f6e781 39 API calls 99367->99369 99368 f602f0 366 API calls 99368->99369 99369->99356 99369->99358 99369->99361 99369->99363 99369->99365 99369->99366 99369->99367 99369->99368 99370 f5be6d 8 API calls 99369->99370 99406 f6e73b 99369->99406 99412 f6aa19 366 API calls 99369->99412 99413 f705d2 5 API calls __Init_thread_wait 99369->99413 99414 f6bbd2 8 API calls 99369->99414 99415 f70433 29 API calls __onexit 99369->99415 99416 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99369->99416 99417 f6f4ed 99369->99417 99421 f6f354 366 API calls 99369->99421 99423 faff4f 8 API calls 99369->99423 99370->99369 99380 fd66de 99372->99380 99373 f602f0 366 API calls 99373->99380 99374 f6e73b 39 API calls 99374->99380 99375 fd6834 99429 fc3ef6 81 API calls __wsopen_s 99375->99429 99377 f5bdc1 39 API calls 99377->99380 99378 fd686f 99378->99350 99380->99373 99380->99374 99380->99375 99380->99377 99380->99378 99426 f6bd82 39 API calls 99380->99426 99427 f6bdd3 39 API calls 99380->99427 99428 f5c4c0 39 API calls 99380->99428 99384 fd623e 99383->99384 99385 fd6228 99383->99385 99404 fd6292 99384->99404 99430 f705d2 5 API calls __Init_thread_wait 99384->99430 99385->99384 99386 fd622d 99385->99386 99387 fd6690 366 API calls 99386->99387 99391 fd6239 99387->99391 99389 fd6263 99389->99404 99431 f6bbd2 8 API calls 99389->99431 99390 f6e73b 39 API calls 99390->99404 99391->99369 99393 fd627c 99432 f70433 29 API calls __onexit 99393->99432 99394 fd6405 99437 fc3ef6 81 API calls __wsopen_s 99394->99437 99397 f5bdc1 39 API calls 99397->99404 99398 fd6286 99433 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99398->99433 99402 f6f4ed 81 API calls 99402->99404 99403 f602f0 366 API calls 99403->99404 99404->99390 99404->99391 99404->99394 99404->99397 99404->99402 99404->99403 99434 f6aa19 366 API calls 99404->99434 99435 fd6569 81 API calls 99404->99435 99436 f6f354 366 API calls 99404->99436 99407 f6e747 99406->99407 99410 f6e774 99406->99410 99409 f6e76c 99407->99409 99438 f6e781 39 API calls 99407->99438 99409->99369 99410->99407 99439 f6e781 39 API calls 99410->99439 99412->99369 99413->99369 99414->99369 99415->99369 99416->99369 99419 f6f50a 99417->99419 99420 f6f552 99417->99420 99419->99420 99440 fc3ef6 81 API calls __wsopen_s 99419->99440 99420->99369 99421->99369 99422->99366 99423->99369 99424->99366 99425->99353 99426->99380 99427->99380 99428->99380 99429->99378 99430->99389 99431->99393 99432->99398 99433->99404 99434->99404 99435->99404 99436->99404 99437->99391 99438->99409 99439->99407 99440->99420 97819 fa64f9 97826 f7016b 97819->97826 97821 fa6500 97824 fa6519 __fread_nolock 97821->97824 97835 f7019b 97821->97835 97823 f7019b 8 API calls 97825 fa653e 97823->97825 97824->97823 97827 f70170 ___std_exception_copy 97826->97827 97828 f7018a 97827->97828 97831 f7018c 97827->97831 97844 f7523d 7 API calls 2 library calls 97827->97844 97828->97821 97830 f709fd 97846 f73634 RaiseException 97830->97846 97831->97830 97845 f73634 RaiseException 97831->97845 97833 f70a1a 97833->97821 97836 f7016b ___std_exception_copy 97835->97836 97837 f7018a 97836->97837 97839 f7018c 97836->97839 97847 f7523d 7 API calls 2 library calls 97836->97847 97837->97824 97843 f709fd 97839->97843 97848 f73634 RaiseException 97839->97848 97841 f70a1a 97841->97824 97849 f73634 RaiseException 97843->97849 97844->97827 97845->97830 97846->97833 97847->97836 97848->97843 97849->97841 97850 f5f470 97853 f69fa5 97850->97853 97852 f5f47c 97854 f69fc6 97853->97854 97860 f6a023 97853->97860 97854->97860 97862 f602f0 97854->97862 97857 fa800f 97857->97857 97858 f6a067 97858->97852 97859 f69ff7 97859->97858 97859->97860 97885 f5be6d 97859->97885 97860->97858 97889 fc3ef6 81 API calls __wsopen_s 97860->97889 97866 f60326 messages 97862->97866 97863 f705d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97863->97866 97864 f7016b 8 API calls 97864->97866 97865 fa62cf 97965 fc3ef6 81 API calls __wsopen_s 97865->97965 97866->97863 97866->97864 97866->97865 97868 f61645 97866->97868 97870 fa5c7f 97866->97870 97871 fa61fe 97866->97871 97872 f5be6d 8 API calls 97866->97872 97878 f6044d messages 97866->97878 97879 f5bf07 8 API calls 97866->97879 97880 f70433 29 API calls pre_c_initialization 97866->97880 97881 fa60b9 97866->97881 97882 f60a5e messages 97866->97882 97883 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97866->97883 97890 f61940 97866->97890 97952 f61e00 97866->97952 97873 f5be6d 8 API calls 97868->97873 97868->97878 97877 f5be6d 8 API calls 97870->97877 97870->97878 97964 fc3ef6 81 API calls __wsopen_s 97871->97964 97872->97866 97873->97878 97877->97878 97878->97859 97879->97866 97880->97866 97962 fc3ef6 81 API calls __wsopen_s 97881->97962 97963 fc3ef6 81 API calls __wsopen_s 97882->97963 97883->97866 97886 f5be90 __fread_nolock 97885->97886 97887 f5be81 97885->97887 97886->97860 97887->97886 97888 f7019b 8 API calls 97887->97888 97888->97886 97889->97857 97891 f61966 97890->97891 97892 f619de 97890->97892 97894 f61973 97891->97894 97895 fa6b04 97891->97895 97893 fa69f1 97892->97893 97908 f619ed 97892->97908 97897 fa6af8 97893->97897 97898 fa69fc 97893->97898 97903 fa6b28 97894->97903 97904 f6197d 97894->97904 97972 fd84db 366 API calls 2 library calls 97895->97972 97971 fc3ef6 81 API calls __wsopen_s 97897->97971 97970 f6b2d6 366 API calls 97898->97970 97899 f602f0 366 API calls 97899->97908 97902 fa6b59 97905 fa6b86 97902->97905 97906 fa6b64 97902->97906 97903->97902 97907 fa6b40 97903->97907 97913 f5be6d 8 API calls 97904->97913 97951 f61990 messages 97904->97951 97975 fd5fe6 8 API calls 97905->97975 97974 fd84db 366 API calls 2 library calls 97906->97974 97973 fc3ef6 81 API calls __wsopen_s 97907->97973 97908->97899 97909 fa691d 97908->97909 97912 f61b65 97908->97912 97915 fa68ac 97908->97915 97927 f61b59 97908->97927 97935 f61aa4 97908->97935 97908->97951 97969 fc3ef6 81 API calls __wsopen_s 97909->97969 97912->97866 97913->97951 97968 fc3ef6 81 API calls __wsopen_s 97915->97968 97916 fa6d7d 97922 fa6db3 97916->97922 98071 fd80ce 65 API calls 97916->98071 97917 fa6b91 97920 fa6c25 97917->97920 97931 fa6bac 97917->97931 98040 fc19ed 8 API calls 97920->98040 97925 f5b3fe 8 API calls 97922->97925 97923 fa6d5b 98044 f58e70 97923->98044 97949 f619d3 messages 97925->97949 97926 f5be6d 8 API calls 97926->97951 97927->97912 97967 fc3ef6 81 API calls __wsopen_s 97927->97967 97929 fa6d91 97932 f58e70 52 API calls 97929->97932 97976 fc13a0 8 API calls 97931->97976 97946 fa6d99 _wcslen 97932->97946 97934 fa6c37 98041 f5bc9b 8 API calls 97934->98041 97935->97927 97966 f61c50 8 API calls 97935->97966 97939 f61b05 97939->97927 97947 f61b12 messages 97939->97947 97940 fa68c1 messages 97940->97909 97940->97947 97940->97949 97941 fa6d63 _wcslen 97941->97916 98067 f5b3fe 97941->98067 97942 fa6bd6 97977 f62ad0 97942->97977 97943 fa6c40 98042 fc13a0 8 API calls 97943->98042 97946->97922 97948 f5b3fe 8 API calls 97946->97948 97947->97926 97947->97949 97947->97951 97948->97922 97949->97866 97951->97916 97951->97949 98043 fd7f8f 53 API calls __wsopen_s 97951->98043 97958 f61e1d messages 97952->97958 97953 f624c2 97959 f61fa7 messages 97953->97959 98794 f6bd82 39 API calls 97953->98794 97956 fa77db 97956->97959 98793 f7d2f5 39 API calls 97956->98793 97958->97953 97958->97956 97958->97959 97961 fa760f 97958->97961 98792 f6e29c 8 API calls messages 97958->98792 97959->97866 98791 f7d2f5 39 API calls 97961->98791 97962->97882 97963->97878 97964->97878 97965->97878 97966->97939 97967->97949 97968->97940 97969->97951 97970->97947 97971->97895 97972->97951 97973->97949 97974->97951 97975->97917 97976->97942 97978 f62b36 97977->97978 97979 f62f70 97977->97979 97981 fa7b7c 97978->97981 97982 f62b50 97978->97982 98249 f705d2 5 API calls __Init_thread_wait 97979->98249 98259 fd79f9 366 API calls 97981->98259 98072 f630e0 97982->98072 97984 f62f7a 97987 f62fbb 97984->97987 98250 f5b25f 97984->98250 97986 fa7b88 97986->97951 97993 fa7b91 97987->97993 97994 f62fec 97987->97994 97990 f630e0 9 API calls 97991 f62b76 97990->97991 97991->97987 97992 f62bac 97991->97992 97992->97993 98017 f62bc8 __fread_nolock 97992->98017 98260 fc3ef6 81 API calls __wsopen_s 97993->98260 97996 f5b3fe 8 API calls 97994->97996 97998 f62ff9 97996->97998 97997 f62f94 98256 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97997->98256 98257 f6e662 366 API calls 97998->98257 98000 fa7bb9 98261 fc3ef6 81 API calls __wsopen_s 98000->98261 98003 f62cef 98004 fa7c1c 98003->98004 98005 f62cfc 98003->98005 98263 fd60a2 53 API calls _wcslen 98004->98263 98007 f630e0 9 API calls 98005->98007 98009 f62d09 98007->98009 98008 f7016b 8 API calls 98008->98017 98010 fa7d45 98009->98010 98013 f630e0 9 API calls 98009->98013 98021 fa7bb4 98010->98021 98264 fc3ef6 81 API calls __wsopen_s 98010->98264 98011 f63032 98258 f6fe59 8 API calls 98011->98258 98012 f7019b 8 API calls 98012->98017 98019 f62d23 98013->98019 98016 f602f0 366 API calls 98016->98017 98017->97998 98017->98000 98017->98003 98017->98008 98017->98012 98017->98016 98018 fa7bfd 98017->98018 98017->98021 98262 fc3ef6 81 API calls __wsopen_s 98018->98262 98019->98010 98022 f5be6d 8 API calls 98019->98022 98024 f62d87 messages 98019->98024 98021->97951 98022->98024 98023 f630e0 9 API calls 98023->98024 98024->98010 98024->98011 98024->98021 98024->98023 98027 f62e3b messages 98024->98027 98082 fddd62 98024->98082 98091 f56afb 98024->98091 98095 f6be75 98024->98095 98150 fc8d34 98024->98150 98153 fda5ac 98024->98153 98161 fd1758 98024->98161 98168 fda8ae 98024->98168 98176 fd9eea 98024->98176 98179 f57953 98024->98179 98183 fc7da4 98024->98183 98239 fdb4c6 98024->98239 98242 fda4b4 98024->98242 98025 f62edd 98025->97951 98027->98025 98248 f6e29c 8 API calls messages 98027->98248 98040->97934 98041->97943 98042->97951 98043->97923 98045 f58e85 98044->98045 98061 f58e82 98044->98061 98046 f58e8d 98045->98046 98047 f58ebb 98045->98047 98787 f75556 26 API calls 98046->98787 98050 f96a29 98047->98050 98051 f58ecd 98047->98051 98058 f96b10 98047->98058 98060 f7019b 8 API calls 98050->98060 98066 f96aa2 98050->98066 98788 f6fe8f 51 API calls 98051->98788 98052 f58e9d 98055 f7016b 8 API calls 98052->98055 98053 f96b28 98053->98053 98057 f58ea7 98055->98057 98059 f5b25f 8 API calls 98057->98059 98790 f75513 26 API calls 98058->98790 98059->98061 98062 f96a72 98060->98062 98061->97941 98063 f7016b 8 API calls 98062->98063 98064 f96a99 98063->98064 98065 f5b25f 8 API calls 98064->98065 98065->98066 98789 f6fe8f 51 API calls 98066->98789 98068 f5b412 98067->98068 98069 f5b40c 98067->98069 98068->97916 98069->98068 98070 f5be6d 8 API calls 98069->98070 98070->98068 98071->97929 98073 f63121 98072->98073 98080 f630fd 98072->98080 98265 f705d2 5 API calls __Init_thread_wait 98073->98265 98075 f6312b 98075->98080 98266 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98075->98266 98077 f69ec7 98081 f62b60 98077->98081 98268 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98077->98268 98080->98081 98267 f705d2 5 API calls __Init_thread_wait 98080->98267 98081->97990 98269 fc276a 98082->98269 98084 fddd76 98273 f5c92d 98084->98273 98086 fddd90 98087 f5c92d 39 API calls 98086->98087 98088 fddda7 98086->98088 98087->98088 98278 fc1759 98088->98278 98090 fdddc8 __fread_nolock 98090->98024 98092 f56b04 98091->98092 98093 f56b11 98091->98093 98289 f56bfa 98092->98289 98093->98024 98295 f56ab6 98095->98295 98098 f7016b 8 API calls 98100 f6bea6 98098->98100 98101 f7019b 8 API calls 98100->98101 98104 f6beb7 98101->98104 98102 fa8f7a 98103 f6bf1f 98102->98103 98344 fca607 39 API calls 98102->98344 98107 f5c92d 39 API calls 98103->98107 98111 f6bf2c 98103->98111 98105 f57953 CloseHandle 98104->98105 98106 f6bec2 98105->98106 98317 f5bf07 98106->98317 98109 fa8fdc 98107->98109 98109->98111 98112 fa8fe4 98109->98112 98309 f6fdc9 98111->98309 98115 f5c92d 39 API calls 98112->98115 98113 f57953 CloseHandle 98116 f6bed1 98113->98116 98120 f6bf33 98115->98120 98117 f58e70 52 API calls 98116->98117 98118 f6bedd 98117->98118 98119 f57953 CloseHandle 98118->98119 98123 f6bee7 98119->98123 98121 fa8ff9 98120->98121 98122 f6bf4e 98120->98122 98126 f7019b 8 API calls 98121->98126 98331 f57a14 98122->98331 98322 f56e52 98123->98322 98129 fa8ffe 98126->98129 98133 fa9012 98129->98133 98314 f541c9 98129->98314 98130 f6bf00 98330 f56b12 13 API calls messages 98130->98330 98131 fa8f72 98343 f57923 CloseHandle messages 98131->98343 98136 fc1759 8 API calls 98133->98136 98142 fa9016 __fread_nolock 98133->98142 98134 f6bf65 98134->98142 98337 f57a59 8 API calls 98134->98337 98136->98142 98140 f6bf0e 98144 f6bf79 98145 f6bfb3 98144->98145 98146 f57953 CloseHandle 98144->98146 98145->98024 98148 f6bfa7 98146->98148 98148->98145 98338 f57923 CloseHandle messages 98148->98338 98382 fca240 98150->98382 98152 fc8d44 98152->98024 98155 fda607 98153->98155 98160 fda5c7 98153->98160 98154 fda625 98157 f5c92d 39 API calls 98154->98157 98158 fda682 98154->98158 98154->98160 98155->98154 98156 f5c92d 39 API calls 98155->98156 98156->98154 98157->98158 98463 fc0287 98158->98463 98160->98024 98162 f5c92d 39 API calls 98161->98162 98163 fd176c 98162->98163 98164 fd17a9 98163->98164 98165 f5c92d 39 API calls 98163->98165 98166 fd17cc 98164->98166 98167 f5b3fe 8 API calls 98164->98167 98165->98164 98166->98024 98167->98166 98169 fda8ca 98168->98169 98171 fda90a 98168->98171 98169->98024 98170 fda928 98170->98169 98172 f5c92d 39 API calls 98170->98172 98174 fda990 98170->98174 98171->98170 98173 f5c92d 39 API calls 98171->98173 98172->98174 98173->98170 98175 fc0287 58 API calls 98174->98175 98175->98169 98522 fd88b6 98176->98522 98178 fd9efa 98178->98024 98180 f5795d 98179->98180 98181 f5796c 98179->98181 98180->98024 98181->98180 98182 f57971 CloseHandle 98181->98182 98182->98180 98184 fc7dc3 98183->98184 98187 fc7dce 98183->98187 98185 f5c92d 39 API calls 98184->98185 98185->98187 98186 f7016b 8 API calls 98189 fc7ee1 98186->98189 98188 f5bf07 8 API calls 98187->98188 98224 fc7eae 98187->98224 98190 fc7def 98188->98190 98191 f7019b 8 API calls 98189->98191 98192 f5bf07 8 API calls 98190->98192 98193 fc7ef2 98191->98193 98194 fc7df8 98192->98194 98195 f57953 CloseHandle 98193->98195 98196 f58e70 52 API calls 98194->98196 98197 fc7efd 98195->98197 98198 fc7e04 98196->98198 98199 f5bf07 8 API calls 98197->98199 98632 f5694e 8 API calls 98198->98632 98201 fc7f05 98199->98201 98203 f57953 CloseHandle 98201->98203 98202 fc7e19 98633 f57af4 8 API calls 98202->98633 98204 fc7f0c 98203->98204 98206 f58e70 52 API calls 98204->98206 98208 fc7f18 98206->98208 98207 fc7e4c 98209 fc7ea4 98207->98209 98634 fbdc8e lstrlenW GetFileAttributesW FindFirstFileW FindClose 98207->98634 98210 f57953 CloseHandle 98208->98210 98213 f5c92d 39 API calls 98209->98213 98212 fc7f22 98210->98212 98217 f56e52 5 API calls 98212->98217 98213->98224 98214 fc7e5c 98214->98209 98215 fc7e60 98214->98215 98216 f5b25f 8 API calls 98215->98216 98218 fc7e6d 98216->98218 98219 fc7f3c 98217->98219 98635 fbda81 12 API calls 98218->98635 98221 fc8038 GetLastError 98219->98221 98222 fc7f44 98219->98222 98223 fc8051 98221->98223 98636 f56b12 13 API calls messages 98222->98636 98638 f57923 CloseHandle messages 98223->98638 98224->98186 98229 fc7ffe 98224->98229 98227 fc7e76 98227->98209 98228 fc7f52 98230 f56afb 3 API calls 98228->98230 98229->98024 98232 fc7f59 98230->98232 98231 fc7f9f 98233 f7016b 8 API calls 98231->98233 98232->98231 98236 fbd4bf 4 API calls 98232->98236 98234 fc7fd3 98233->98234 98235 f5bf07 8 API calls 98234->98235 98237 fc7fe0 98235->98237 98236->98231 98237->98229 98637 fb4a0c 8 API calls __fread_nolock 98237->98637 98639 fdb958 98239->98639 98243 fda4c7 98242->98243 98244 f58e70 52 API calls 98243->98244 98247 fda4d6 98243->98247 98245 fda534 98244->98245 98743 fc17be 98245->98743 98247->98024 98248->98027 98249->97984 98251 f5b26e _wcslen 98250->98251 98252 f7019b 8 API calls 98251->98252 98253 f5b296 __fread_nolock 98252->98253 98254 f7016b 8 API calls 98253->98254 98255 f5b2ac 98254->98255 98255->97997 98256->97987 98257->98011 98258->98011 98259->97986 98260->98021 98261->98021 98262->98021 98263->98019 98264->98021 98265->98075 98266->98080 98267->98077 98268->98081 98270 fc2773 98269->98270 98272 fc2778 98269->98272 98287 fc183b 10 API calls __fread_nolock 98270->98287 98272->98084 98274 f5c93e 98273->98274 98275 f5c945 98273->98275 98274->98275 98288 f76661 39 API calls _strftime 98274->98288 98275->98086 98277 f5c988 98277->98086 98279 fc1764 98278->98279 98280 f7016b 8 API calls 98279->98280 98281 fc176b 98280->98281 98282 fc1798 98281->98282 98283 fc1777 98281->98283 98285 f7019b 8 API calls 98282->98285 98284 f7019b 8 API calls 98283->98284 98286 fc1780 ___scrt_fastfail 98284->98286 98285->98286 98286->98090 98287->98272 98288->98277 98290 f56c11 98289->98290 98291 f958ec SetFilePointerEx 98290->98291 98292 f56c98 SetFilePointerEx SetFilePointerEx 98290->98292 98293 f958db 98290->98293 98294 f56c64 98290->98294 98292->98294 98293->98291 98294->98093 98297 f9587b 98295->98297 98298 f56ac6 98295->98298 98296 f9588c 98357 f5bceb 98296->98357 98297->98296 98345 f584b7 98297->98345 98302 f7016b 8 API calls 98298->98302 98301 f95896 98301->98301 98303 f56ad9 98302->98303 98304 f56af4 98303->98304 98305 f56ae2 98303->98305 98307 f5bf07 8 API calls 98304->98307 98306 f5b25f 8 API calls 98305->98306 98308 f56aea 98306->98308 98307->98308 98308->98098 98308->98102 98310 f56bfa 3 API calls 98309->98310 98311 f6fde7 98310->98311 98312 f56bfa 3 API calls 98311->98312 98313 f6fe08 98312->98313 98313->98120 98374 f5b050 98314->98374 98318 f7019b 8 API calls 98317->98318 98319 f5bf1c 98318->98319 98320 f7016b 8 API calls 98319->98320 98321 f5bf2a 98320->98321 98321->98113 98323 f95985 98322->98323 98324 f56e69 CreateFileW 98322->98324 98325 f56e88 98323->98325 98326 f9598b CreateFileW 98323->98326 98324->98325 98325->98130 98325->98131 98326->98325 98327 f959b3 98326->98327 98328 f56bfa 3 API calls 98327->98328 98329 f959be 98328->98329 98329->98325 98330->98140 98332 f7019b 8 API calls 98331->98332 98333 f57a39 98332->98333 98334 f7016b 8 API calls 98333->98334 98335 f57a47 98334->98335 98336 f6bfbc 14 API calls 98335->98336 98336->98134 98337->98144 98338->98145 98343->98102 98344->98102 98346 f965bb 98345->98346 98347 f584c7 _wcslen 98345->98347 98364 f596d9 98346->98364 98350 f58502 98347->98350 98351 f584dd 98347->98351 98349 f965c4 98349->98349 98352 f7016b 8 API calls 98350->98352 98363 f58894 8 API calls 98351->98363 98354 f5850e 98352->98354 98356 f7019b 8 API calls 98354->98356 98355 f584e5 __fread_nolock 98355->98296 98356->98355 98358 f5bd05 98357->98358 98359 f5bcf8 98357->98359 98360 f7016b 8 API calls 98358->98360 98359->98301 98361 f5bd0f 98360->98361 98362 f7019b 8 API calls 98361->98362 98362->98359 98363->98355 98365 f596e7 98364->98365 98367 f596f0 __fread_nolock 98364->98367 98365->98367 98368 f5c269 98365->98368 98367->98349 98369 f5c27c 98368->98369 98373 f5c279 __fread_nolock 98368->98373 98370 f7016b 8 API calls 98369->98370 98371 f5c287 98370->98371 98372 f7019b 8 API calls 98371->98372 98372->98373 98373->98367 98375 f5b0cb 98374->98375 98379 f5b05e 98374->98379 98380 f6f13c SetFilePointerEx 98375->98380 98377 f541da 98377->98133 98378 f5b09c ReadFile 98378->98377 98378->98379 98379->98377 98379->98378 98380->98379 98383 fca25f 98382->98383 98384 fca345 98382->98384 98386 f7016b 8 API calls 98383->98386 98435 fca607 39 API calls 98384->98435 98387 fca266 98386->98387 98389 f7019b 8 API calls 98387->98389 98388 fca327 98388->98152 98390 fca277 98389->98390 98392 f57953 CloseHandle 98390->98392 98391 fca422 98393 fc276a 10 API calls 98391->98393 98394 fca282 98392->98394 98396 fca429 98393->98396 98395 f5bf07 8 API calls 98394->98395 98398 fca28a 98395->98398 98403 fbd4bf 4 API calls 98396->98403 98397 fca2ff 98397->98388 98397->98391 98399 fca390 98397->98399 98400 f57953 CloseHandle 98398->98400 98401 f58e70 52 API calls 98399->98401 98402 fca291 98400->98402 98414 fca397 98401->98414 98404 f58e70 52 API calls 98402->98404 98427 fca405 98403->98427 98407 fca29d 98404->98407 98405 fca418 98446 fbd517 16 API calls 98405->98446 98409 f57953 CloseHandle 98407->98409 98408 fca3cb 98410 f57a14 8 API calls 98408->98410 98412 fca2a7 98409->98412 98413 fca3db 98410->98413 98411 f57953 CloseHandle 98415 fca47b 98411->98415 98416 f56e52 5 API calls 98412->98416 98417 fca3eb 98413->98417 98420 f5be6d 8 API calls 98413->98420 98414->98405 98414->98408 98447 f57923 CloseHandle messages 98415->98447 98419 fca2b6 98416->98419 98436 f565a4 98417->98436 98422 fca31f 98419->98422 98423 fca2ba 98419->98423 98420->98417 98434 f57923 CloseHandle messages 98422->98434 98433 f56b12 13 API calls messages 98423->98433 98427->98388 98427->98411 98429 fca2c8 98430 f56afb 3 API calls 98429->98430 98431 fca2cf 98430->98431 98431->98397 98432 fbd4bf 4 API calls 98431->98432 98432->98397 98433->98429 98434->98388 98435->98397 98437 f95629 98436->98437 98438 f565bb 98436->98438 98439 f7016b 8 API calls 98437->98439 98448 f565cc 98438->98448 98441 f95633 _wcslen 98439->98441 98443 f7019b 8 API calls 98441->98443 98442 f565c6 98445 fbd517 16 API calls 98442->98445 98444 f9566c __fread_nolock 98443->98444 98445->98427 98446->98427 98447->98388 98449 f565dc _wcslen 98448->98449 98450 f9568b 98449->98450 98451 f565ef 98449->98451 98453 f7016b 8 API calls 98450->98453 98458 f57cb3 98451->98458 98455 f95695 98453->98455 98454 f565fc __fread_nolock 98454->98442 98456 f7019b 8 API calls 98455->98456 98457 f956c5 __fread_nolock 98456->98457 98459 f57cc9 98458->98459 98462 f57cc4 __fread_nolock 98458->98462 98460 f7019b 8 API calls 98459->98460 98461 f964be 98459->98461 98460->98462 98461->98461 98462->98454 98495 fc01bf 98463->98495 98466 fc0308 98502 fc04fe 56 API calls __fread_nolock 98466->98502 98467 fc0320 98469 fc0386 98467->98469 98472 fc0330 98467->98472 98470 fc041c 98469->98470 98471 fc03b6 98469->98471 98486 fc02ae __fread_nolock 98469->98486 98475 fc04c5 98470->98475 98476 fc0425 98470->98476 98473 fc03bb 98471->98473 98474 fc03e6 98471->98474 98479 fc276a 10 API calls 98472->98479 98494 fc0368 98472->98494 98473->98486 98503 f5c9fb 39 API calls 98473->98503 98474->98486 98504 f5c9fb 39 API calls 98474->98504 98475->98486 98508 f5c5df 39 API calls 98475->98508 98477 fc042a 98476->98477 98478 fc04a2 98476->98478 98482 fc0469 98477->98482 98483 fc0430 98477->98483 98478->98486 98507 f5c5df 39 API calls 98478->98507 98484 fc033c 98479->98484 98481 fc1759 8 API calls 98481->98486 98482->98486 98506 f5c5df 39 API calls 98482->98506 98483->98486 98505 f5c5df 39 API calls 98483->98505 98491 fc276a 10 API calls 98484->98491 98486->98160 98492 fc0353 __fread_nolock 98491->98492 98493 fc276a 10 API calls 98492->98493 98493->98494 98494->98481 98496 fc020c 98495->98496 98500 fc01d0 98495->98500 98498 f5c92d 39 API calls 98496->98498 98497 fc020a 98497->98466 98497->98467 98497->98486 98498->98497 98499 f58e70 52 API calls 98499->98500 98500->98497 98500->98499 98509 f74db8 98500->98509 98502->98486 98503->98486 98504->98486 98505->98486 98506->98486 98507->98486 98508->98486 98510 f74e3b 98509->98510 98511 f74dc6 98509->98511 98521 f74e4d 40 API calls 2 library calls 98510->98521 98518 f74deb 98511->98518 98519 f7f669 20 API calls __dosmaperr 98511->98519 98514 f74e48 98514->98500 98515 f74dd2 98520 f82b7c 26 API calls _strftime 98515->98520 98517 f74ddd 98517->98500 98518->98500 98519->98515 98520->98517 98521->98514 98523 f58e70 52 API calls 98522->98523 98524 fd88ed 98523->98524 98548 fd8932 messages 98524->98548 98558 fd9632 98524->98558 98526 fd8bde 98527 fd8dac 98526->98527 98531 fd8bec 98526->98531 98602 fd9843 59 API calls 98527->98602 98530 fd8dbb 98530->98531 98532 fd8dc7 98530->98532 98571 fd87e3 98531->98571 98532->98548 98533 f58e70 52 API calls 98547 fd89a6 98533->98547 98538 fd8c25 98539 fd8c5f 98538->98539 98540 fd8c45 98538->98540 98588 f57d51 98539->98588 98587 fc3ef6 81 API calls __wsopen_s 98540->98587 98543 fd8c50 GetCurrentProcess TerminateProcess 98543->98539 98547->98526 98547->98533 98547->98548 98585 fb4a0c 8 API calls __fread_nolock 98547->98585 98586 fd8e7c 41 API calls _strftime 98547->98586 98548->98178 98559 f5c269 8 API calls 98558->98559 98560 fd964d CharLowerBuffW 98559->98560 98604 fb96e3 98560->98604 98564 f5bf07 8 API calls 98565 fd9689 98564->98565 98611 f58685 8 API calls __fread_nolock 98565->98611 98567 fd969d 98568 f596d9 8 API calls 98567->98568 98570 fd96a7 _wcslen 98568->98570 98569 fd97bd _wcslen 98569->98547 98570->98569 98612 fd8e7c 41 API calls _strftime 98570->98612 98572 fd87fe 98571->98572 98576 fd8849 98571->98576 98573 f7019b 8 API calls 98572->98573 98574 fd8820 98573->98574 98575 f7016b 8 API calls 98574->98575 98574->98576 98575->98574 98577 fd99f5 98576->98577 98578 fd9c0a messages 98577->98578 98583 fd9a19 _strcat _wcslen ___std_exception_copy 98577->98583 98578->98538 98579 f5c92d 39 API calls 98579->98583 98580 f5c5df 39 API calls 98580->98583 98581 f5c9fb 39 API calls 98581->98583 98582 f58e70 52 API calls 98582->98583 98583->98578 98583->98579 98583->98580 98583->98581 98583->98582 98615 fbf7da 10 API calls _wcslen 98583->98615 98585->98547 98586->98547 98587->98543 98589 f57d59 98588->98589 98590 f7016b 8 API calls 98589->98590 98591 f57d67 98590->98591 98616 f58386 98591->98616 98594 f583b0 98619 f5c700 98594->98619 98602->98530 98605 fb9703 _wcslen 98604->98605 98607 fb9738 98605->98607 98609 fb97f7 98605->98609 98610 fb97f2 98605->98610 98607->98610 98613 f6e2e5 41 API calls 98607->98613 98609->98610 98614 f6e2e5 41 API calls 98609->98614 98610->98564 98610->98570 98611->98567 98612->98569 98613->98607 98614->98609 98615->98583 98617 f7016b 8 API calls 98616->98617 98618 f57d6f 98617->98618 98618->98594 98620 f5c70b 98619->98620 98632->98202 98633->98207 98634->98214 98635->98227 98636->98228 98637->98229 98638->98229 98640 fdb97c ___scrt_fastfail 98639->98640 98641 fdb9b7 98640->98641 98642 fdb9f3 98640->98642 98643 f5c92d 39 API calls 98641->98643 98645 f5c92d 39 API calls 98642->98645 98649 fdb9ea 98642->98649 98646 fdb9c2 98643->98646 98644 fdba4c 98647 f58e70 52 API calls 98644->98647 98648 fdba04 98645->98648 98646->98649 98650 f5c92d 39 API calls 98646->98650 98652 fdba6a 98647->98652 98653 f5c92d 39 API calls 98648->98653 98649->98644 98651 f5c92d 39 API calls 98649->98651 98654 fdb9d7 98650->98654 98651->98644 98730 f54154 98652->98730 98653->98649 98656 f5c92d 39 API calls 98654->98656 98656->98649 98657 fdba74 98658 fdba7e 98657->98658 98659 fdbb37 98657->98659 98661 f58e70 52 API calls 98658->98661 98660 fdbb69 GetCurrentDirectoryW 98659->98660 98662 f58e70 52 API calls 98659->98662 98663 f7019b 8 API calls 98660->98663 98664 fdba8f 98661->98664 98665 fdbb4e 98662->98665 98666 fdbb8e GetCurrentDirectoryW 98663->98666 98667 f54154 8 API calls 98664->98667 98668 f54154 8 API calls 98665->98668 98669 fdbb9b 98666->98669 98670 fdba99 98667->98670 98671 fdbb58 _wcslen 98668->98671 98673 fdbbd4 98669->98673 98675 f56ab6 8 API calls 98669->98675 98672 f58e70 52 API calls 98670->98672 98671->98660 98671->98673 98674 fdbaaa 98672->98674 98681 fdbbea 98673->98681 98682 fdbbe6 98673->98682 98676 f54154 8 API calls 98674->98676 98677 fdbbb4 98675->98677 98678 fdbab4 98676->98678 98679 f56ab6 8 API calls 98677->98679 98680 f58e70 52 API calls 98678->98680 98683 fdbbc4 98679->98683 98684 fdbac5 98680->98684 98734 fc107c 10 API calls 98681->98734 98686 fdbcf9 CreateProcessW 98682->98686 98687 fdbc57 98682->98687 98688 f56ab6 8 API calls 98683->98688 98689 f54154 8 API calls 98684->98689 98729 fdbc8e _wcslen 98686->98729 98737 fb1a58 25 API calls 98687->98737 98688->98673 98692 fdbacf 98689->98692 98690 fdbbf3 98735 fc0fa2 10 API calls 98690->98735 98695 fdbb05 GetSystemDirectoryW 98692->98695 98700 f58e70 52 API calls 98692->98700 98694 fdbc5c 98698 fdbc89 98694->98698 98699 fdbc82 98694->98699 98697 f7019b 8 API calls 98695->98697 98696 fdbc09 98736 fc0e63 8 API calls 98696->98736 98703 fdbb2a GetSystemDirectoryW 98697->98703 98739 fb1d5e 6 API calls 98698->98739 98738 fb1a91 114 API calls 2 library calls 98699->98738 98705 fdbae6 98700->98705 98702 fdbc2f 98702->98682 98703->98669 98708 f54154 8 API calls 98705->98708 98707 fdbc87 98707->98729 98711 fdbaf0 _wcslen 98708->98711 98709 fdbd8e CloseHandle 98712 fdbd9e 98709->98712 98722 fdbdf9 98709->98722 98710 fdbd35 GetLastError 98721 fdbd79 98710->98721 98711->98669 98711->98695 98714 fdbda5 CloseHandle 98712->98714 98715 fdbdb0 98712->98715 98714->98715 98716 fdbdb7 CloseHandle 98715->98716 98717 fdbdc2 98715->98717 98716->98717 98719 fdbdc9 CloseHandle 98717->98719 98720 fdbdd4 98717->98720 98718 fdbe05 98718->98721 98719->98720 98740 fc1295 20 API calls 98720->98740 98742 fc0a31 6 API calls 98721->98742 98722->98718 98725 fdbe31 CloseHandle 98722->98725 98725->98721 98726 fdb4d8 98726->98024 98727 fdbde5 98741 fdbe95 11 API calls 98727->98741 98729->98709 98729->98710 98731 f5415e _wcslen 98730->98731 98732 f7019b 8 API calls 98731->98732 98733 f54173 98732->98733 98733->98657 98734->98690 98735->98696 98736->98702 98737->98694 98738->98707 98739->98729 98740->98727 98741->98722 98742->98726 98744 fc17cb 98743->98744 98745 f7016b 8 API calls 98744->98745 98746 fc17d2 98745->98746 98749 fbfbca 98746->98749 98748 fc180c 98748->98247 98750 f5c269 8 API calls 98749->98750 98751 fbfbdd CharLowerBuffW 98750->98751 98756 fbfbf0 98751->98756 98752 f5627c 8 API calls 98752->98756 98753 fbfbfa ___scrt_fastfail 98753->98748 98754 fbfc2e 98755 fbfc40 98754->98755 98782 f5627c 98754->98782 98758 f7019b 8 API calls 98755->98758 98756->98752 98756->98753 98756->98754 98761 fbfc6e 98758->98761 98763 fbfc90 98761->98763 98785 fbfb02 8 API calls 98761->98785 98762 fbfccd 98762->98753 98764 f7016b 8 API calls 98762->98764 98767 fbfd21 98763->98767 98765 fbfce7 98764->98765 98766 f7019b 8 API calls 98765->98766 98766->98753 98768 f5bf07 8 API calls 98767->98768 98769 fbfd53 98768->98769 98770 f5bf07 8 API calls 98769->98770 98771 fbfd5c 98770->98771 98772 f5bf07 8 API calls 98771->98772 98779 fbfd65 98772->98779 98773 f584b7 8 API calls 98773->98779 98774 f5acc0 8 API calls 98774->98779 98775 f76718 GetStringTypeW 98775->98779 98777 f76661 39 API calls 98777->98779 98778 fbfd21 40 API calls 98778->98779 98779->98773 98779->98774 98779->98775 98779->98777 98779->98778 98780 fc0029 98779->98780 98781 f5be6d 8 API calls 98779->98781 98786 f76742 GetStringTypeW _strftime 98779->98786 98780->98762 98781->98779 98783 f5c269 8 API calls 98782->98783 98784 f56287 98783->98784 98784->98755 98785->98761 98786->98779 98787->98052 98788->98052 98789->98058 98790->98053 98791->97961 98792->97958 98793->97959 98794->97959 98795 f51033 98800 f56686 98795->98800 98799 f51042 98801 f5bf07 8 API calls 98800->98801 98802 f566f4 98801->98802 98808 f555cc 98802->98808 98804 f56791 98806 f51038 98804->98806 98811 f568e6 8 API calls __fread_nolock 98804->98811 98807 f70433 29 API calls __onexit 98806->98807 98807->98799 98812 f555f8 98808->98812 98811->98804 98813 f555eb 98812->98813 98814 f55605 98812->98814 98813->98804 98814->98813 98815 f5560c RegOpenKeyExW 98814->98815 98815->98813 98816 f55626 RegQueryValueExW 98815->98816 98817 f5565c RegCloseKey 98816->98817 98818 f55647 98816->98818 98817->98813 98818->98817 98819 f6f9b1 98820 f6f9dc 98819->98820 98821 f6f9bb 98819->98821 98826 fafadc 98820->98826 98836 fb55d9 8 API calls messages 98820->98836 98828 f5c34b 98821->98828 98824 f6f9cb 98825 f5c34b 8 API calls 98824->98825 98827 f6f9db 98825->98827 98829 f5c381 messages 98828->98829 98830 f5c359 98828->98830 98829->98824 98831 f5c367 98830->98831 98832 f5c34b 8 API calls 98830->98832 98833 f5c36d 98831->98833 98834 f5c34b 8 API calls 98831->98834 98832->98831 98833->98829 98835 f5c780 8 API calls 98833->98835 98834->98833 98835->98829 98836->98820 98837 f5367c 98840 f53696 98837->98840 98841 f536ad 98840->98841 98842 f53711 98841->98842 98843 f536b2 98841->98843 98844 f5370f 98841->98844 98848 f53717 98842->98848 98849 f93dce 98842->98849 98845 f536bf 98843->98845 98846 f5378b PostQuitMessage 98843->98846 98847 f536f6 DefWindowProcW 98844->98847 98852 f93e3b 98845->98852 98853 f536ca 98845->98853 98855 f53690 98846->98855 98847->98855 98850 f53743 SetTimer RegisterWindowMessageW 98848->98850 98851 f5371e 98848->98851 98899 f52f24 10 API calls 98849->98899 98850->98855 98858 f5376c CreatePopupMenu 98850->98858 98856 f53727 KillTimer 98851->98856 98857 f93d6f 98851->98857 98912 fbc80c 65 API calls ___scrt_fastfail 98852->98912 98859 f53795 98853->98859 98860 f536d4 98853->98860 98885 f5388e 98856->98885 98863 f93daa MoveWindow 98857->98863 98864 f93d74 98857->98864 98858->98855 98889 f6fcbb 98859->98889 98866 f93e20 98860->98866 98867 f536df 98860->98867 98862 f93def 98900 f6f1c6 40 API calls 98862->98900 98863->98855 98871 f93d99 SetFocus 98864->98871 98872 f93d7a 98864->98872 98866->98847 98911 fb1367 8 API calls 98866->98911 98874 f53779 98867->98874 98875 f536ea 98867->98875 98868 f93e4d 98868->98847 98868->98855 98871->98855 98872->98875 98876 f93d83 98872->98876 98897 f537a6 75 API calls ___scrt_fastfail 98874->98897 98875->98847 98882 f5388e Shell_NotifyIconW 98875->98882 98898 f52f24 10 API calls 98876->98898 98881 f53789 98881->98855 98883 f93e14 98882->98883 98901 f538f2 98883->98901 98886 f5373a 98885->98886 98887 f538a0 ___scrt_fastfail 98885->98887 98896 f5572c DeleteObject DestroyWindow 98886->98896 98888 f538bf Shell_NotifyIconW 98887->98888 98888->98886 98890 f6fd59 98889->98890 98891 f6fcd3 ___scrt_fastfail 98889->98891 98890->98855 98913 f55f59 98891->98913 98893 f6fd42 KillTimer SetTimer 98893->98890 98894 f6fcfa 98894->98893 98895 fafdcb Shell_NotifyIconW 98894->98895 98895->98893 98896->98855 98897->98881 98898->98855 98899->98862 98900->98875 98902 f5391d ___scrt_fastfail 98901->98902 98947 f55ce2 98902->98947 98905 f539a3 98907 f539c1 Shell_NotifyIconW 98905->98907 98908 f940a7 Shell_NotifyIconW 98905->98908 98909 f55f59 55 API calls 98907->98909 98910 f539d7 98909->98910 98910->98844 98911->98844 98912->98868 98914 f55f76 98913->98914 98933 f56058 98913->98933 98915 f57a14 8 API calls 98914->98915 98916 f55f84 98915->98916 98917 f55f91 98916->98917 98918 f95101 LoadStringW 98916->98918 98919 f584b7 8 API calls 98917->98919 98921 f9511b 98918->98921 98920 f55fa6 98919->98920 98922 f55fb3 98920->98922 98928 f95137 98920->98928 98924 f5be6d 8 API calls 98921->98924 98929 f55fd9 ___scrt_fastfail 98921->98929 98922->98921 98923 f55fbd 98922->98923 98925 f565a4 8 API calls 98923->98925 98924->98929 98926 f55fcb 98925->98926 98943 f57af4 8 API calls 98926->98943 98928->98929 98930 f9517a 98928->98930 98932 f5bf07 8 API calls 98928->98932 98931 f5603e Shell_NotifyIconW 98929->98931 98946 f6fe8f 51 API calls 98930->98946 98931->98933 98934 f95161 98932->98934 98933->98894 98944 fba265 9 API calls 98934->98944 98937 f95199 98939 f565a4 8 API calls 98937->98939 98938 f9516c 98945 f57af4 8 API calls 98938->98945 98941 f951aa 98939->98941 98942 f565a4 8 API calls 98941->98942 98942->98929 98943->98929 98944->98938 98945->98930 98946->98937 98948 f53972 98947->98948 98949 f55cfe 98947->98949 98948->98905 98951 fbd034 42 API calls _strftime 98948->98951 98949->98948 98950 f94eff DestroyIcon 98949->98950 98950->98948 98951->98905 98952 fa3fb3 98968 f5ee60 messages 98952->98968 98953 f5f1c1 PeekMessageW 98953->98968 98954 f5eeb7 GetInputState 98954->98953 98954->98968 98955 f5f085 98957 fa3271 TranslateAcceleratorW 98957->98968 98958 f5f23f PeekMessageW 98958->98968 98959 f5f0b4 timeGetTime 98959->98968 98960 f5f223 TranslateMessage DispatchMessageW 98960->98958 98961 f5f25f Sleep 98978 f5f270 98961->98978 98962 fa4127 Sleep 98962->98978 98963 f6f27e timeGetTime 98963->98978 98964 fa338d timeGetTime 99016 f6a9e5 9 API calls 98964->99016 98967 fa41be GetExitCodeProcess 98971 fa41ea CloseHandle 98967->98971 98972 fa41d4 WaitForSingleObject 98967->98972 98968->98953 98968->98954 98968->98955 98968->98957 98968->98958 98968->98959 98968->98960 98968->98961 98968->98962 98968->98964 98981 f602f0 366 API calls 98968->98981 98982 f62ad0 366 API calls 98968->98982 98984 f5f400 98968->98984 98992 f5f680 98968->98992 99015 f6f2a5 IsDialogMessageW GetClassLongW 98968->99015 99017 fc4384 8 API calls 98968->99017 99018 fc3ef6 81 API calls __wsopen_s 98968->99018 98969 fa3cf5 98974 fa3cfd 98969->98974 98970 fe331e GetForegroundWindow 98970->98978 98971->98978 98972->98968 98972->98971 98975 fa425c Sleep 98975->98968 98978->98963 98978->98967 98978->98968 98978->98969 98978->98970 98978->98975 99019 fd5fb5 8 API calls 98978->99019 99020 fbf1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98978->99020 99021 fbdc9c 46 API calls 98978->99021 98981->98968 98982->98968 98985 f5f411 98984->98985 98986 f5f433 98985->98986 98987 f5f41f 98985->98987 99054 fc3ef6 81 API calls __wsopen_s 98986->99054 99022 f5e910 98987->99022 98989 f5f42a 98989->98968 98991 fa4528 98991->98991 98993 f5f6c0 98992->98993 99010 f5f78c messages 98993->99010 99075 f705d2 5 API calls __Init_thread_wait 98993->99075 98994 f602f0 366 API calls 98994->99010 98997 fa457d 99000 f5bf07 8 API calls 98997->99000 98997->99010 98998 f5bf07 8 API calls 98998->99010 98999 fc3ef6 81 API calls 98999->99010 99001 fa4597 99000->99001 99076 f70433 29 API calls __onexit 99001->99076 99005 fa45a1 99077 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99005->99077 99009 f5be6d 8 API calls 99009->99010 99010->98994 99010->98998 99010->98999 99010->99009 99011 f5fa91 99010->99011 99012 f61c50 8 API calls 99010->99012 99070 f5bdc1 99010->99070 99074 f6b2d6 366 API calls 99010->99074 99078 f705d2 5 API calls __Init_thread_wait 99010->99078 99079 f70433 29 API calls __onexit 99010->99079 99080 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99010->99080 99081 fd5131 101 API calls 99010->99081 99082 fd721e 366 API calls 99010->99082 99011->98968 99012->99010 99015->98968 99016->98968 99017->98968 99018->98968 99019->98978 99020->98978 99021->98978 99023 f602f0 366 API calls 99022->99023 99040 f5e94d 99023->99040 99024 fa3176 99068 fc3ef6 81 API calls __wsopen_s 99024->99068 99026 f5ea73 99028 f5ed85 99026->99028 99030 f5ea7e 99026->99030 99027 f5e9bb messages 99027->98989 99028->99027 99038 f7019b 8 API calls 99028->99038 99029 f5ecaf 99031 f5ecc4 99029->99031 99032 fa3167 99029->99032 99034 f7016b 8 API calls 99030->99034 99035 f7016b 8 API calls 99031->99035 99067 fd6062 8 API calls 99032->99067 99033 f5eb68 99039 f7019b 8 API calls 99033->99039 99043 f5ea85 __fread_nolock 99034->99043 99047 f5eb1a 99035->99047 99037 f7016b 8 API calls 99037->99040 99038->99043 99049 f5ead9 __fread_nolock messages 99039->99049 99040->99024 99040->99026 99040->99027 99040->99028 99040->99033 99040->99037 99040->99049 99041 f7016b 8 API calls 99042 f5eaa6 99041->99042 99042->99049 99055 f5d210 99042->99055 99043->99041 99043->99042 99045 fa3156 99066 fc3ef6 81 API calls __wsopen_s 99045->99066 99047->98989 99049->99029 99049->99045 99049->99047 99050 fa3131 99049->99050 99052 fa310f 99049->99052 99063 f54485 366 API calls 99049->99063 99065 fc3ef6 81 API calls __wsopen_s 99050->99065 99064 fc3ef6 81 API calls __wsopen_s 99052->99064 99054->98991 99056 f5d276 99055->99056 99057 f5d24a 99055->99057 99059 f602f0 366 API calls 99056->99059 99058 f5f680 366 API calls 99057->99058 99062 f5d250 99057->99062 99058->99062 99060 fa17ee 99059->99060 99060->99062 99069 fc3ef6 81 API calls __wsopen_s 99060->99069 99062->99049 99063->99049 99064->99047 99065->99047 99066->99047 99067->99024 99068->99027 99069->99062 99071 f5bdcc 99070->99071 99072 f5bdfb 99071->99072 99083 f5bf39 99071->99083 99072->99010 99074->99010 99075->98997 99076->99005 99077->99010 99078->99010 99079->99010 99080->99010 99081->99010 99082->99010 99100 f5cf30 99083->99100 99085 f5bf49 99086 f5bf57 99085->99086 99087 fa0d59 99085->99087 99089 f7016b 8 API calls 99086->99089 99088 f5b3fe 8 API calls 99087->99088 99091 fa0d64 99088->99091 99090 f5bf68 99089->99090 99092 f5bf07 8 API calls 99090->99092 99093 f5bf72 99092->99093 99094 f5bf81 99093->99094 99095 f5be6d 8 API calls 99093->99095 99096 f7016b 8 API calls 99094->99096 99095->99094 99097 f5bf8b 99096->99097 99108 f5be0f 39 API calls 99097->99108 99099 f5bfaf 99099->99072 99101 f5d177 99100->99101 99102 f5cf43 99100->99102 99101->99085 99104 f5bf07 8 API calls 99102->99104 99106 f5cfed 99102->99106 99109 f705d2 5 API calls __Init_thread_wait 99102->99109 99110 f70433 29 API calls __onexit 99102->99110 99111 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99102->99111 99104->99102 99106->99085 99108->99099 99109->99102 99110->99102 99111->99102 99441 f88792 99446 f8854e 99441->99446 99444 f887ba 99451 f8857f try_get_first_available_module 99446->99451 99448 f8877e 99465 f82b7c 26 API calls _strftime 99448->99465 99450 f886d3 99450->99444 99458 f90d24 99450->99458 99454 f886c8 99451->99454 99461 f7919b 40 API calls 2 library calls 99451->99461 99453 f8871c 99453->99454 99462 f7919b 40 API calls 2 library calls 99453->99462 99454->99450 99464 f7f669 20 API calls __dosmaperr 99454->99464 99456 f8873b 99456->99454 99463 f7919b 40 API calls 2 library calls 99456->99463 99466 f90421 99458->99466 99460 f90d3f 99460->99444 99461->99453 99462->99456 99463->99454 99464->99448 99465->99450 99468 f9042d ___scrt_is_nonwritable_in_current_image 99466->99468 99467 f9043b 99524 f7f669 20 API calls __dosmaperr 99467->99524 99468->99467 99470 f90474 99468->99470 99477 f909fb 99470->99477 99471 f90440 99525 f82b7c 26 API calls _strftime 99471->99525 99476 f9044a __wsopen_s 99476->99460 99527 f907cf 99477->99527 99480 f90a2d 99559 f7f656 20 API calls __dosmaperr 99480->99559 99481 f90a46 99545 f855b1 99481->99545 99484 f90a4b 99485 f90a6b 99484->99485 99486 f90a54 99484->99486 99558 f9073a CreateFileW 99485->99558 99561 f7f656 20 API calls __dosmaperr 99486->99561 99490 f90a59 99562 f7f669 20 API calls __dosmaperr 99490->99562 99491 f90aa4 99493 f90b21 GetFileType 99491->99493 99495 f90af6 GetLastError 99491->99495 99563 f9073a CreateFileW 99491->99563 99494 f90b2c GetLastError 99493->99494 99498 f90b73 99493->99498 99565 f7f633 20 API calls 2 library calls 99494->99565 99564 f7f633 20 API calls 2 library calls 99495->99564 99567 f854fa 21 API calls 3 library calls 99498->99567 99500 f90a32 99560 f7f669 20 API calls __dosmaperr 99500->99560 99501 f90b3a CloseHandle 99501->99500 99504 f90b63 99501->99504 99502 f90ae9 99502->99493 99502->99495 99566 f7f669 20 API calls __dosmaperr 99504->99566 99505 f90b94 99507 f90be0 99505->99507 99568 f9094b 72 API calls 4 library calls 99505->99568 99512 f90c0d 99507->99512 99569 f904ed 72 API calls 4 library calls 99507->99569 99508 f90b68 99508->99500 99511 f90c06 99511->99512 99513 f90c1e 99511->99513 99570 f88a3e 99512->99570 99515 f90498 99513->99515 99516 f90c9c CloseHandle 99513->99516 99526 f904c1 LeaveCriticalSection __wsopen_s 99515->99526 99585 f9073a CreateFileW 99516->99585 99518 f90cc7 99519 f90cd1 GetLastError 99518->99519 99520 f90cfd 99518->99520 99586 f7f633 20 API calls 2 library calls 99519->99586 99520->99515 99522 f90cdd 99587 f856c3 21 API calls 3 library calls 99522->99587 99524->99471 99525->99476 99526->99476 99528 f907f0 99527->99528 99529 f9080a 99527->99529 99528->99529 99595 f7f669 20 API calls __dosmaperr 99528->99595 99588 f9075f 99529->99588 99532 f907ff 99596 f82b7c 26 API calls _strftime 99532->99596 99534 f90842 99535 f90871 99534->99535 99597 f7f669 20 API calls __dosmaperr 99534->99597 99542 f908c4 99535->99542 99599 f7da9d 26 API calls 2 library calls 99535->99599 99538 f908bf 99540 f9093e 99538->99540 99538->99542 99539 f90866 99598 f82b7c 26 API calls _strftime 99539->99598 99600 f82b8c 11 API calls _abort 99540->99600 99542->99480 99542->99481 99544 f9094a 99546 f855bd ___scrt_is_nonwritable_in_current_image 99545->99546 99603 f832ee EnterCriticalSection 99546->99603 99548 f855c4 99549 f855e9 99548->99549 99554 f85657 EnterCriticalSection 99548->99554 99556 f8560b 99548->99556 99607 f85390 99549->99607 99552 f85634 __wsopen_s 99552->99484 99555 f85664 LeaveCriticalSection 99554->99555 99554->99556 99555->99548 99604 f856ba 99556->99604 99558->99491 99559->99500 99560->99515 99561->99490 99562->99500 99563->99502 99564->99500 99565->99501 99566->99508 99567->99505 99568->99507 99569->99511 99633 f85754 99570->99633 99572 f88a54 99646 f856c3 21 API calls 3 library calls 99572->99646 99574 f88a4e 99574->99572 99575 f85754 __wsopen_s 26 API calls 99574->99575 99584 f88a86 99574->99584 99579 f88a7d 99575->99579 99576 f85754 __wsopen_s 26 API calls 99580 f88a92 CloseHandle 99576->99580 99577 f88aac 99578 f88ace 99577->99578 99647 f7f633 20 API calls 2 library calls 99577->99647 99578->99515 99583 f85754 __wsopen_s 26 API calls 99579->99583 99580->99572 99581 f88a9e GetLastError 99580->99581 99581->99572 99583->99584 99584->99572 99584->99576 99585->99518 99586->99522 99587->99520 99589 f90777 99588->99589 99590 f90792 99589->99590 99601 f7f669 20 API calls __dosmaperr 99589->99601 99590->99534 99592 f907b6 99602 f82b7c 26 API calls _strftime 99592->99602 99594 f907c1 99594->99534 99595->99532 99596->99529 99597->99539 99598->99535 99599->99538 99600->99544 99601->99592 99602->99594 99603->99548 99615 f83336 LeaveCriticalSection 99604->99615 99606 f856c1 99606->99552 99616 f8500d 99607->99616 99609 f853a2 99613 f853af 99609->99613 99623 f83795 11 API calls 2 library calls 99609->99623 99612 f85401 99612->99556 99614 f854d7 EnterCriticalSection 99612->99614 99624 f82d58 99613->99624 99614->99556 99615->99606 99621 f8501a pre_c_initialization 99616->99621 99617 f85045 RtlAllocateHeap 99619 f85058 99617->99619 99617->99621 99618 f8505a 99631 f7f669 20 API calls __dosmaperr 99618->99631 99619->99609 99621->99617 99621->99618 99630 f7523d 7 API calls 2 library calls 99621->99630 99623->99609 99625 f82d8c _free 99624->99625 99626 f82d63 RtlFreeHeap 99624->99626 99625->99612 99626->99625 99627 f82d78 99626->99627 99632 f7f669 20 API calls __dosmaperr 99627->99632 99629 f82d7e GetLastError 99629->99625 99630->99621 99631->99619 99632->99629 99634 f85761 99633->99634 99635 f85776 99633->99635 99648 f7f656 20 API calls __dosmaperr 99634->99648 99640 f8579b 99635->99640 99650 f7f656 20 API calls __dosmaperr 99635->99650 99637 f85766 99649 f7f669 20 API calls __dosmaperr 99637->99649 99640->99574 99641 f857a6 99651 f7f669 20 API calls __dosmaperr 99641->99651 99642 f8576e 99642->99574 99644 f857ae 99652 f82b7c 26 API calls _strftime 99644->99652 99646->99577 99647->99578 99648->99637 99649->99642 99650->99641 99651->99644 99652->99642 99653 f51098 99658 f55d78 99653->99658 99657 f510a7 99659 f5bf07 8 API calls 99658->99659 99660 f55d8f GetVersionExW 99659->99660 99661 f584b7 8 API calls 99660->99661 99662 f55ddc 99661->99662 99663 f596d9 8 API calls 99662->99663 99677 f55e12 99662->99677 99664 f55e06 99663->99664 99679 f579ed 99664->99679 99666 f55ecc GetCurrentProcess IsWow64Process 99667 f55ee8 99666->99667 99668 f55f00 LoadLibraryA 99667->99668 99669 f950f2 GetSystemInfo 99667->99669 99670 f55f11 GetProcAddress 99668->99670 99671 f55f4d GetSystemInfo 99668->99671 99670->99671 99674 f55f21 GetNativeSystemInfo 99670->99674 99672 f55f27 99671->99672 99675 f5109d 99672->99675 99676 f55f2b FreeLibrary 99672->99676 99673 f950ad 99674->99672 99678 f70433 29 API calls __onexit 99675->99678 99676->99675 99677->99666 99677->99673 99678->99657 99680 f579fb 99679->99680 99681 f596d9 8 API calls 99680->99681 99682 f57a0f 99681->99682 99682->99677 99112 fa55f4 99121 f6e34f 99112->99121 99114 fa560a 99116 fa5685 99114->99116 99130 f6a9e5 9 API calls 99114->99130 99119 fa617b 99116->99119 99132 fc3ef6 81 API calls __wsopen_s 99116->99132 99118 fa5665 99118->99116 99131 fc2393 8 API calls 99118->99131 99122 f6e370 99121->99122 99123 f6e35d 99121->99123 99125 f6e375 99122->99125 99126 f6e3a3 99122->99126 99124 f5b3fe 8 API calls 99123->99124 99129 f6e367 99124->99129 99128 f7016b 8 API calls 99125->99128 99127 f5b3fe 8 API calls 99126->99127 99127->99129 99128->99129 99129->99114 99130->99118 99131->99116 99132->99119 99683 f5105b 99688 f5522e 99683->99688 99685 f5106a 99719 f70433 29 API calls __onexit 99685->99719 99687 f51074 99689 f5523e __wsopen_s 99688->99689 99690 f5bf07 8 API calls 99689->99690 99691 f552f4 99690->99691 99720 f5551b 99691->99720 99693 f552fd 99727 f551bf 99693->99727 99696 f565a4 8 API calls 99697 f55316 99696->99697 99733 f5684e 99697->99733 99700 f5bf07 8 API calls 99701 f5532e 99700->99701 99702 f5bceb 8 API calls 99701->99702 99703 f55337 RegOpenKeyExW 99702->99703 99704 f94bc0 RegQueryValueExW 99703->99704 99708 f55359 99703->99708 99705 f94bdd 99704->99705 99706 f94c56 RegCloseKey 99704->99706 99707 f7019b 8 API calls 99705->99707 99706->99708 99718 f94c68 _wcslen 99706->99718 99709 f94bf6 99707->99709 99708->99685 99739 f541a6 99709->99739 99710 f5627c 8 API calls 99710->99718 99713 f94c1e 99714 f584b7 8 API calls 99713->99714 99715 f94c38 messages 99714->99715 99715->99706 99716 f5b25f 8 API calls 99716->99718 99717 f5684e 8 API calls 99717->99718 99718->99708 99718->99710 99718->99716 99718->99717 99719->99687 99742 f922f0 99720->99742 99723 f5b25f 8 API calls 99724 f5554e 99723->99724 99744 f5557e 99724->99744 99726 f55558 99726->99693 99728 f922f0 __wsopen_s 99727->99728 99729 f551cc GetFullPathNameW 99728->99729 99730 f551ee 99729->99730 99731 f584b7 8 API calls 99730->99731 99732 f5520c 99731->99732 99732->99696 99734 f5685d 99733->99734 99738 f5687e __fread_nolock 99733->99738 99737 f7019b 8 API calls 99734->99737 99735 f7016b 8 API calls 99736 f55325 99735->99736 99736->99700 99737->99738 99738->99735 99740 f7016b 8 API calls 99739->99740 99741 f541b8 RegQueryValueExW 99740->99741 99741->99713 99741->99715 99743 f55528 GetModuleFileNameW 99742->99743 99743->99723 99745 f922f0 __wsopen_s 99744->99745 99746 f5558b GetFullPathNameW 99745->99746 99747 f555c5 99746->99747 99748 f555aa 99746->99748 99749 f5bceb 8 API calls 99747->99749 99750 f584b7 8 API calls 99748->99750 99751 f555b6 99749->99751 99750->99751 99752 f579ed 8 API calls 99751->99752 99753 f555c2 99752->99753 99753->99726 99754 fa1754 99755 f62ad0 366 API calls 99754->99755 99757 fa1766 99755->99757 99756 f5d250 99757->99756 99759 fc3ef6 81 API calls __wsopen_s 99757->99759 99759->99756 99133 f5d9fa 99134 f5da04 99133->99134 99144 f5db74 99133->99144 99135 f5cf30 39 API calls 99134->99135 99134->99144 99136 f5da7e 99135->99136 99137 f7016b 8 API calls 99136->99137 99138 f5da97 99137->99138 99139 f7019b 8 API calls 99138->99139 99140 f5dab5 99139->99140 99141 f7016b 8 API calls 99140->99141 99143 f5dac6 __fread_nolock 99141->99143 99142 f7016b 8 API calls 99146 f5db2f 99142->99146 99143->99142 99143->99144 99145 f7019b 8 API calls 99144->99145 99147 f5d591 99144->99147 99150 f5dbc9 99144->99150 99145->99144 99146->99144 99148 f5cf30 39 API calls 99146->99148 99149 f7016b 8 API calls 99147->99149 99148->99144 99155 f5d61e messages 99149->99155 99151 f5c34b 8 API calls 99161 f5d95c messages 99151->99161 99152 f5be6d 8 API calls 99152->99155 99153 f5b3fe 8 API calls 99153->99155 99155->99152 99155->99153 99156 fa1f1c 99155->99156 99158 fa1f37 99155->99158 99159 f5c34b 8 API calls 99155->99159 99160 f5d8c1 messages 99155->99160 99164 fb55d9 8 API calls messages 99156->99164 99159->99155 99160->99151 99160->99161 99162 f5d973 99161->99162 99163 f6e284 8 API calls messages 99161->99163 99163->99161 99164->99158 99760 f51044 99765 f52735 99760->99765 99802 f529da 99765->99802 99769 f527ac 99770 f5bf07 8 API calls 99769->99770 99771 f527b6 99770->99771 99772 f5bf07 8 API calls 99771->99772 99773 f527c0 99772->99773 99774 f5bf07 8 API calls 99773->99774 99775 f527ca 99774->99775 99776 f5bf07 8 API calls 99775->99776 99777 f52808 99776->99777 99778 f5bf07 8 API calls 99777->99778 99779 f528d4 99778->99779 99812 f52d5e 99779->99812 99783 f52906 99784 f5bf07 8 API calls 99783->99784 99785 f52910 99784->99785 99786 f630e0 9 API calls 99785->99786 99787 f5293b 99786->99787 99833 f530ed 99787->99833 99789 f52957 99790 f52967 GetStdHandle 99789->99790 99791 f939c1 99790->99791 99792 f529bc 99790->99792 99791->99792 99793 f939ca 99791->99793 99795 f529c9 OleInitialize 99792->99795 99842 f52a33 99802->99842 99805 f52a33 8 API calls 99806 f52a12 99805->99806 99807 f5bf07 8 API calls 99806->99807 99808 f52a1e 99807->99808 99809 f584b7 8 API calls 99808->99809 99810 f5276b 99809->99810 99811 f53205 6 API calls 99810->99811 99811->99769 99813 f5bf07 8 API calls 99812->99813 99814 f52d6e 99813->99814 99815 f5bf07 8 API calls 99814->99815 99816 f52d76 99815->99816 99817 f5bf07 8 API calls 99816->99817 99818 f52d91 99817->99818 99819 f7016b 8 API calls 99818->99819 99820 f528de 99819->99820 99821 f5318c 99820->99821 99822 f5319a 99821->99822 99823 f5bf07 8 API calls 99822->99823 99824 f531a5 99823->99824 99825 f5bf07 8 API calls 99824->99825 99826 f531b0 99825->99826 99827 f5bf07 8 API calls 99826->99827 99828 f531bb 99827->99828 99829 f5bf07 8 API calls 99828->99829 99830 f531c6 99829->99830 99831 f7016b 8 API calls 99830->99831 99832 f531d8 RegisterWindowMessageW 99831->99832 99832->99783 99834 f93c69 99833->99834 99835 f530fd 99833->99835 99849 fc3b63 8 API calls 99834->99849 99836 f7016b 8 API calls 99835->99836 99838 f53105 99836->99838 99838->99789 99839 f93c74 99843 f5bf07 8 API calls 99842->99843 99844 f52a3e 99843->99844 99845 f5bf07 8 API calls 99844->99845 99846 f52a46 99845->99846 99847 f5bf07 8 API calls 99846->99847 99848 f52a08 99847->99848 99848->99805 99849->99839 99165 fa1a68 99166 fa1a70 99165->99166 99169 f5d4e5 99165->99169 99203 fb79af 8 API calls __fread_nolock 99166->99203 99168 fa1a82 99204 fb7928 8 API calls __fread_nolock 99168->99204 99172 f7016b 8 API calls 99169->99172 99171 fa1aac 99173 f602f0 366 API calls 99171->99173 99174 f5d539 99172->99174 99175 fa1ad3 99173->99175 99195 f5c2cd 99174->99195 99176 fa1ae7 99175->99176 99205 fd60a2 53 API calls _wcslen 99175->99205 99179 fa1b04 99179->99169 99206 fb79af 8 API calls __fread_nolock 99179->99206 99181 f7016b 8 API calls 99188 f5d61e messages 99181->99188 99183 f5c34b 8 API calls 99193 f5d95c messages 99183->99193 99184 f5be6d 8 API calls 99184->99188 99185 f5b3fe 8 API calls 99185->99188 99187 fa1f1c 99207 fb55d9 8 API calls messages 99187->99207 99188->99184 99188->99185 99188->99187 99190 fa1f37 99188->99190 99191 f5c34b 8 API calls 99188->99191 99192 f5d8c1 messages 99188->99192 99191->99188 99192->99183 99192->99193 99194 f5d973 99193->99194 99202 f6e284 8 API calls messages 99193->99202 99199 f5c2dd 99195->99199 99196 f5c2e5 99196->99181 99197 f7016b 8 API calls 99197->99199 99198 f5bf07 8 API calls 99198->99199 99199->99196 99199->99197 99199->99198 99200 f5be6d 8 API calls 99199->99200 99201 f5c2cd 8 API calls 99199->99201 99200->99199 99201->99199 99202->99193 99203->99168 99204->99171 99205->99179 99206->99179 99207->99190 99851 f8948a 99852 f89497 99851->99852 99856 f894af 99851->99856 99908 f7f669 20 API calls __dosmaperr 99852->99908 99854 f8949c 99909 f82b7c 26 API calls _strftime 99854->99909 99857 f8950a 99856->99857 99863 f894a7 99856->99863 99910 f90164 21 API calls 2 library calls 99856->99910 99871 f7dce5 99857->99871 99860 f89522 99878 f88fc2 99860->99878 99862 f89529 99862->99863 99864 f7dce5 __fread_nolock 26 API calls 99862->99864 99865 f89555 99864->99865 99865->99863 99866 f7dce5 __fread_nolock 26 API calls 99865->99866 99867 f89563 99866->99867 99867->99863 99868 f7dce5 __fread_nolock 26 API calls 99867->99868 99869 f89573 99868->99869 99870 f7dce5 __fread_nolock 26 API calls 99869->99870 99870->99863 99872 f7dd06 99871->99872 99873 f7dcf1 99871->99873 99872->99860 99911 f7f669 20 API calls __dosmaperr 99873->99911 99875 f7dcf6 99912 f82b7c 26 API calls _strftime 99875->99912 99877 f7dd01 99877->99860 99879 f88fce ___scrt_is_nonwritable_in_current_image 99878->99879 99880 f88fee 99879->99880 99881 f88fd6 99879->99881 99883 f890b4 99880->99883 99888 f89027 99880->99888 99979 f7f656 20 API calls __dosmaperr 99881->99979 99986 f7f656 20 API calls __dosmaperr 99883->99986 99885 f88fdb 99980 f7f669 20 API calls __dosmaperr 99885->99980 99886 f890b9 99987 f7f669 20 API calls __dosmaperr 99886->99987 99891 f8904b 99888->99891 99892 f89036 99888->99892 99890 f88fe3 __wsopen_s 99890->99862 99913 f854d7 EnterCriticalSection 99891->99913 99981 f7f656 20 API calls __dosmaperr 99892->99981 99894 f89043 99988 f82b7c 26 API calls _strftime 99894->99988 99896 f89051 99898 f8906d 99896->99898 99899 f89082 99896->99899 99897 f8903b 99982 f7f669 20 API calls __dosmaperr 99897->99982 99983 f7f669 20 API calls __dosmaperr 99898->99983 99914 f890d5 99899->99914 99904 f89072 99984 f7f656 20 API calls __dosmaperr 99904->99984 99906 f8907d 99985 f890ac LeaveCriticalSection __wsopen_s 99906->99985 99908->99854 99909->99863 99910->99857 99911->99875 99912->99877 99913->99896 99915 f890ff 99914->99915 99916 f890e7 99914->99916 99917 f89469 99915->99917 99923 f89144 99915->99923 100005 f7f656 20 API calls __dosmaperr 99916->100005 100022 f7f656 20 API calls __dosmaperr 99917->100022 99919 f890ec 100006 f7f669 20 API calls __dosmaperr 99919->100006 99922 f8946e 100023 f7f669 20 API calls __dosmaperr 99922->100023 99924 f890f4 99923->99924 99926 f8914f 99923->99926 99932 f8917f 99923->99932 99924->99906 100007 f7f656 20 API calls __dosmaperr 99926->100007 99927 f8915c 100024 f82b7c 26 API calls _strftime 99927->100024 99929 f89154 100008 f7f669 20 API calls __dosmaperr 99929->100008 99933 f89198 99932->99933 99934 f891da 99932->99934 99935 f891be 99932->99935 99933->99935 99968 f891a5 99933->99968 99989 f83bb0 99934->99989 100009 f7f656 20 API calls __dosmaperr 99935->100009 99937 f891c3 100010 f7f669 20 API calls __dosmaperr 99937->100010 99942 f82d58 _free 20 API calls 99945 f891fa 99942->99945 99943 f891ca 100011 f82b7c 26 API calls _strftime 99943->100011 99944 f89343 99947 f893b9 99944->99947 99950 f8935c GetConsoleMode 99944->99950 99948 f82d58 _free 20 API calls 99945->99948 99949 f893bd ReadFile 99947->99949 99951 f89201 99948->99951 99952 f89431 GetLastError 99949->99952 99953 f893d7 99949->99953 99950->99947 99954 f8936d 99950->99954 99955 f8920b 99951->99955 99956 f89226 99951->99956 99957 f8943e 99952->99957 99958 f89395 99952->99958 99953->99952 99959 f893ae 99953->99959 99954->99949 99960 f89373 ReadConsoleW 99954->99960 100012 f7f669 20 API calls __dosmaperr 99955->100012 100014 f897b4 99956->100014 100020 f7f669 20 API calls __dosmaperr 99957->100020 99977 f891d5 __fread_nolock 99958->99977 100017 f7f633 20 API calls 2 library calls 99958->100017 99972 f893fc 99959->99972 99973 f89413 99959->99973 99959->99977 99960->99959 99965 f8938f GetLastError 99960->99965 99961 f82d58 _free 20 API calls 99961->99924 99965->99958 99966 f89210 100013 f7f656 20 API calls __dosmaperr 99966->100013 99967 f89443 100021 f7f656 20 API calls __dosmaperr 99967->100021 99996 f8fc3b 99968->99996 100018 f88df1 31 API calls 4 library calls 99972->100018 99974 f8942a 99973->99974 99973->99977 100019 f88c31 29 API calls __wsopen_s 99974->100019 99977->99961 99978 f8942f 99978->99977 99979->99885 99980->99890 99981->99897 99982->99894 99983->99904 99984->99906 99985->99890 99986->99886 99987->99894 99988->99890 99990 f83bee 99989->99990 99995 f83bbe pre_c_initialization 99989->99995 100026 f7f669 20 API calls __dosmaperr 99990->100026 99991 f83bd9 RtlAllocateHeap 99993 f83bec 99991->99993 99991->99995 99993->99942 99995->99990 99995->99991 100025 f7523d 7 API calls 2 library calls 99995->100025 99997 f8fc48 99996->99997 99998 f8fc55 99996->99998 100027 f7f669 20 API calls __dosmaperr 99997->100027 100001 f8fc61 99998->100001 100028 f7f669 20 API calls __dosmaperr 99998->100028 100000 f8fc4d 100000->99944 100001->99944 100003 f8fc82 100029 f82b7c 26 API calls _strftime 100003->100029 100005->99919 100006->99924 100007->99929 100008->99927 100009->99937 100010->99943 100011->99977 100012->99966 100013->99977 100030 f8971b 100014->100030 100017->99977 100018->99977 100019->99978 100020->99967 100021->99977 100022->99922 100023->99927 100024->99924 100025->99995 100026->99993 100027->100000 100028->100003 100029->100000 100031 f85754 __wsopen_s 26 API calls 100030->100031 100032 f8972d 100031->100032 100033 f89735 100032->100033 100034 f89746 SetFilePointerEx 100032->100034 100039 f7f669 20 API calls __dosmaperr 100033->100039 100035 f8975e GetLastError 100034->100035 100038 f8973a 100034->100038 100040 f7f633 20 API calls 2 library calls 100035->100040 100038->99968 100039->100038 100040->100038 100041 f708c0 100050 f70d22 GetModuleHandleW 100041->100050 100043 f708c8 100044 f708fe 100043->100044 100046 f708cc 100043->100046 100052 f75194 28 API calls _abort 100044->100052 100049 f708d7 100046->100049 100051 f75176 28 API calls _abort 100046->100051 100047 f70906 100050->100043 100051->100049 100052->100047 99208 f5dced 99209 f5dd13 99208->99209 99210 fa1965 99208->99210 99211 f5de5d 99209->99211 99213 f7016b 8 API calls 99209->99213 99212 fa1a25 99210->99212 99217 fa19c9 99210->99217 99221 fa19e9 99210->99221 99218 f7019b 8 API calls 99211->99218 99253 fc3ef6 81 API calls __wsopen_s 99212->99253 99220 f5dd3d 99213->99220 99215 fa1a20 99251 f6e662 366 API calls 99217->99251 99226 f5de94 __fread_nolock 99218->99226 99222 f7016b 8 API calls 99220->99222 99220->99226 99221->99215 99252 fc3ef6 81 API calls __wsopen_s 99221->99252 99224 f5dd8b 99222->99224 99223 f7019b 8 API calls 99223->99226 99224->99217 99225 f5ddc6 99224->99225 99227 f602f0 366 API calls 99225->99227 99226->99221 99226->99223 99228 f5ddd9 99227->99228 99228->99215 99228->99226 99229 fa1a48 99228->99229 99230 f5de27 99228->99230 99232 f5d4d6 99228->99232 99254 fc3ef6 81 API calls __wsopen_s 99229->99254 99230->99211 99230->99232 99233 f7016b 8 API calls 99232->99233 99234 f5d539 99233->99234 99235 f5c2cd 8 API calls 99234->99235 99236 f5d563 99235->99236 99237 f7016b 8 API calls 99236->99237 99242 f5d61e messages 99237->99242 99238 f5c34b 8 API calls 99248 f5d95c messages 99238->99248 99239 f5be6d 8 API calls 99239->99242 99240 f5b3fe 8 API calls 99240->99242 99242->99239 99242->99240 99243 fa1f1c 99242->99243 99245 fa1f37 99242->99245 99246 f5c34b 8 API calls 99242->99246 99247 f5d8c1 messages 99242->99247 99255 fb55d9 8 API calls messages 99243->99255 99246->99242 99247->99238 99247->99248 99249 f5d973 99248->99249 99250 f6e284 8 API calls messages 99248->99250 99250->99248 99251->99221 99252->99215 99253->99215 99254->99215 99255->99245 99256 f60e6f 99257 f60e83 99256->99257 99263 f613d5 99256->99263 99258 f60e95 99257->99258 99259 f7016b 8 API calls 99257->99259 99260 fa55d0 99258->99260 99261 f5b3fe 8 API calls 99258->99261 99262 f60eee 99258->99262 99259->99258 99289 fc1a29 8 API calls 99260->99289 99261->99258 99265 f62ad0 366 API calls 99262->99265 99269 f6044d messages 99262->99269 99263->99258 99266 f5be6d 8 API calls 99263->99266 99288 f60326 messages 99265->99288 99266->99258 99267 fa62cf 99293 fc3ef6 81 API calls __wsopen_s 99267->99293 99268 f7016b 8 API calls 99268->99288 99270 f61e00 40 API calls 99270->99288 99271 f61645 99271->99269 99275 f5be6d 8 API calls 99271->99275 99273 fa5c7f 99273->99269 99279 f5be6d 8 API calls 99273->99279 99274 fa61fe 99292 fc3ef6 81 API calls __wsopen_s 99274->99292 99275->99269 99278 f61940 366 API calls 99278->99288 99279->99269 99280 f5be6d 8 API calls 99280->99288 99281 f705d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99281->99288 99282 f5bf07 8 API calls 99282->99288 99283 fa60b9 99290 fc3ef6 81 API calls __wsopen_s 99283->99290 99284 f60a5e messages 99291 fc3ef6 81 API calls __wsopen_s 99284->99291 99285 f70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99285->99288 99287 f70433 29 API calls pre_c_initialization 99287->99288 99288->99267 99288->99268 99288->99269 99288->99270 99288->99271 99288->99273 99288->99274 99288->99278 99288->99280 99288->99281 99288->99282 99288->99283 99288->99284 99288->99285 99288->99287 99289->99269 99290->99284 99291->99269 99292->99269 99293->99269 100053 f7f08e 100054 f7f09a ___scrt_is_nonwritable_in_current_image 100053->100054 100055 f7f0a6 100054->100055 100056 f7f0bb 100054->100056 100072 f7f669 20 API calls __dosmaperr 100055->100072 100066 f7951d EnterCriticalSection 100056->100066 100059 f7f0ab 100073 f82b7c 26 API calls _strftime 100059->100073 100060 f7f0c7 100067 f7f0fb 100060->100067 100065 f7f0b6 __wsopen_s 100066->100060 100075 f7f126 100067->100075 100069 f7f108 100070 f7f0d4 100069->100070 100095 f7f669 20 API calls __dosmaperr 100069->100095 100074 f7f0f1 LeaveCriticalSection __fread_nolock 100070->100074 100072->100059 100073->100065 100074->100065 100076 f7f134 100075->100076 100077 f7f14e 100075->100077 100099 f7f669 20 API calls __dosmaperr 100076->100099 100079 f7dce5 __fread_nolock 26 API calls 100077->100079 100081 f7f157 100079->100081 100080 f7f139 100100 f82b7c 26 API calls _strftime 100080->100100 100096 f89799 100081->100096 100085 f7f1df 100088 f7f1fc 100085->100088 100094 f7f20e 100085->100094 100086 f7f25b 100087 f7f268 100086->100087 100086->100094 100102 f7f669 20 API calls __dosmaperr 100087->100102 100101 f7f43f 31 API calls 4 library calls 100088->100101 100091 f7f206 100092 f7f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 100091->100092 100092->100069 100094->100092 100103 f7f2bb 30 API calls 2 library calls 100094->100103 100095->100070 100104 f89616 100096->100104 100098 f7f173 100098->100085 100098->100086 100098->100092 100099->100080 100100->100092 100101->100091 100102->100092 100103->100092 100105 f89622 ___scrt_is_nonwritable_in_current_image 100104->100105 100106 f8962a 100105->100106 100107 f89642 100105->100107 100130 f7f656 20 API calls __dosmaperr 100106->100130 100109 f896f6 100107->100109 100113 f8967a 100107->100113 100135 f7f656 20 API calls __dosmaperr 100109->100135 100110 f8962f 100131 f7f669 20 API calls __dosmaperr 100110->100131 100129 f854d7 EnterCriticalSection 100113->100129 100114 f896fb 100136 f7f669 20 API calls __dosmaperr 100114->100136 100117 f89680 100119 f896b9 100117->100119 100120 f896a4 100117->100120 100118 f89703 100137 f82b7c 26 API calls _strftime 100118->100137 100124 f8971b __wsopen_s 28 API calls 100119->100124 100132 f7f669 20 API calls __dosmaperr 100120->100132 100123 f89637 __wsopen_s 100123->100098 100126 f896b4 100124->100126 100125 f896a9 100133 f7f656 20 API calls __dosmaperr 100125->100133 100134 f896ee LeaveCriticalSection __wsopen_s 100126->100134 100129->100117 100130->100110 100131->100123 100132->100125 100133->100126 100134->100123 100135->100114 100136->100118 100137->100123 100138 f5f48c 100139 f5ca50 366 API calls 100138->100139 100140 f5f49a 100139->100140 100141 f6230c 100148 f62315 __fread_nolock 100141->100148 100142 f58e70 52 API calls 100142->100148 100143 fa7487 100153 f5662b 8 API calls __fread_nolock 100143->100153 100145 f61fa7 __fread_nolock 100146 fa7493 100146->100145 100151 f5be6d 8 API calls 100146->100151 100147 f62366 100150 f57cb3 8 API calls 100147->100150 100148->100142 100148->100143 100148->100145 100148->100147 100149 f7016b 8 API calls 100148->100149 100152 f7019b 8 API calls 100148->100152 100149->100148 100150->100145 100151->100145 100152->100148 100153->100146 99294 f927a2 99297 f52a52 99294->99297 99298 f52a91 mciSendStringW 99297->99298 99299 f939f4 DestroyWindow 99297->99299 99300 f52aad 99298->99300 99301 f52d08 99298->99301 99306 f93a00 99299->99306 99302 f52abb 99300->99302 99300->99306 99301->99300 99303 f52d17 UnregisterHotKey 99301->99303 99329 f52e70 99302->99329 99303->99301 99305 f93a1e FindClose 99305->99306 99306->99305 99308 f93a45 99306->99308 99309 f57953 CloseHandle 99306->99309 99311 f93a69 99308->99311 99312 f93a58 FreeLibrary 99308->99312 99309->99306 99310 f52ad0 99310->99311 99317 f52ade 99310->99317 99313 f93a7d VirtualFree 99311->99313 99318 f52b4b 99311->99318 99312->99308 99313->99311 99314 f52b3a CoUninitialize 99314->99318 99315 f93ac5 99321 f93ad4 messages 99315->99321 99335 fc3c45 6 API calls messages 99315->99335 99317->99314 99318->99315 99319 f52b56 99318->99319 99333 f52f86 VirtualFreeEx CloseHandle 99319->99333 99325 f93b63 99321->99325 99336 fb6d63 8 API calls messages 99321->99336 99323 f52b7c 99323->99321 99324 f52c61 99323->99324 99324->99325 99326 f52caf 99324->99326 99325->99325 99326->99325 99334 f52eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 99326->99334 99328 f52d03 99330 f52e7d 99329->99330 99331 f52ac2 99330->99331 99337 fb78b9 8 API calls 99330->99337 99331->99308 99331->99310 99333->99323 99334->99328 99335->99315 99336->99321 99337->99330 100154 f7078b 100155 f70797 ___scrt_is_nonwritable_in_current_image 100154->100155 100184 f70241 100155->100184 100157 f7079e 100158 f708f1 100157->100158 100161 f707c8 100157->100161 100225 f70bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 100158->100225 100160 f708f8 100218 f751e2 100160->100218 100173 f70807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 100161->100173 100195 f8280d 100161->100195 100168 f707e7 100170 f70868 100203 f70ce9 100170->100203 100172 f7086e 100207 f532a2 100172->100207 100173->100170 100221 f751aa 38 API calls 3 library calls 100173->100221 100178 f7088a 100178->100160 100179 f7088e 100178->100179 100180 f70897 100179->100180 100223 f75185 28 API calls _abort 100179->100223 100224 f703d0 13 API calls 2 library calls 100180->100224 100183 f7089f 100183->100168 100185 f7024a 100184->100185 100227 f70a28 IsProcessorFeaturePresent 100185->100227 100187 f70256 100228 f73024 10 API calls 3 library calls 100187->100228 100189 f7025b 100194 f7025f 100189->100194 100229 f826a7 100189->100229 100191 f70276 100191->100157 100194->100157 100198 f82824 100195->100198 100196 f70e1c CatchGuardHandler 5 API calls 100197 f707e1 100196->100197 100197->100168 100199 f827b1 100197->100199 100198->100196 100202 f827e0 100199->100202 100200 f70e1c CatchGuardHandler 5 API calls 100201 f82809 100200->100201 100201->100173 100202->100200 100280 f726d0 100203->100280 100205 f70cfc GetStartupInfoW 100206 f70d0f 100205->100206 100206->100172 100208 f53309 100207->100208 100209 f532ae IsThemeActive 100207->100209 100222 f70d22 GetModuleHandleW 100208->100222 100282 f752d3 100209->100282 100211 f532d9 100288 f75339 100211->100288 100213 f532e0 100295 f5326d SystemParametersInfoW SystemParametersInfoW 100213->100295 100215 f532e7 100296 f53312 100215->100296 101036 f74f5f 100218->101036 100221->100170 100222->100178 100223->100180 100224->100183 100225->100160 100227->100187 100228->100189 100233 f8d596 100229->100233 100232 f7304d 8 API calls 3 library calls 100232->100194 100234 f8d5af 100233->100234 100235 f8d5b3 100233->100235 100251 f70e1c 100234->100251 100235->100234 100239 f84f8b 100235->100239 100237 f70268 100237->100191 100237->100232 100240 f84f97 ___scrt_is_nonwritable_in_current_image 100239->100240 100258 f832ee EnterCriticalSection 100240->100258 100242 f84f9e 100259 f8543f 100242->100259 100244 f84fad 100245 f84fbc 100244->100245 100272 f84e1f 29 API calls 100244->100272 100274 f84fd8 LeaveCriticalSection _abort 100245->100274 100248 f84fb7 100273 f84ed5 GetStdHandle GetFileType 100248->100273 100249 f84fcd __wsopen_s 100249->100235 100252 f70e27 IsProcessorFeaturePresent 100251->100252 100253 f70e25 100251->100253 100255 f70fee 100252->100255 100253->100237 100279 f70fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 100255->100279 100257 f710d1 100257->100237 100258->100242 100260 f8544b ___scrt_is_nonwritable_in_current_image 100259->100260 100261 f85458 100260->100261 100262 f8546f 100260->100262 100276 f7f669 20 API calls __dosmaperr 100261->100276 100275 f832ee EnterCriticalSection 100262->100275 100265 f8545d 100277 f82b7c 26 API calls _strftime 100265->100277 100267 f8547b 100270 f85390 __wsopen_s 21 API calls 100267->100270 100271 f854a7 100267->100271 100269 f85467 __wsopen_s 100269->100244 100270->100267 100278 f854ce LeaveCriticalSection _abort 100271->100278 100272->100248 100273->100245 100274->100249 100275->100267 100276->100265 100277->100269 100278->100269 100279->100257 100281 f726e7 100280->100281 100281->100205 100281->100281 100283 f752df ___scrt_is_nonwritable_in_current_image 100282->100283 100345 f832ee EnterCriticalSection 100283->100345 100285 f752ea pre_c_initialization 100346 f7532a 100285->100346 100287 f7531f __wsopen_s 100287->100211 100289 f75345 100288->100289 100290 f7535f 100288->100290 100289->100290 100350 f7f669 20 API calls __dosmaperr 100289->100350 100290->100213 100292 f7534f 100351 f82b7c 26 API calls _strftime 100292->100351 100294 f7535a 100294->100213 100295->100215 100297 f53322 __wsopen_s 100296->100297 100298 f5bf07 8 API calls 100297->100298 100299 f5332e GetCurrentDirectoryW 100298->100299 100352 f54f60 100299->100352 100345->100285 100349 f83336 LeaveCriticalSection 100346->100349 100348 f75331 100348->100287 100349->100348 100350->100292 100351->100294 100353 f5bf07 8 API calls 100352->100353 100354 f54f76 100353->100354 100459 f560f5 100354->100459 100356 f54f94 100357 f5bceb 8 API calls 100356->100357 100358 f54fa8 100357->100358 100359 f5be6d 8 API calls 100358->100359 100360 f54fb3 100359->100360 100473 f588e8 100360->100473 100363 f5b25f 8 API calls 100364 f54fcc 100363->100364 100365 f5bdc1 39 API calls 100364->100365 100366 f54fdc 100365->100366 100367 f5b25f 8 API calls 100366->100367 100368 f55002 100367->100368 100369 f5bdc1 39 API calls 100368->100369 100460 f56102 __wsopen_s 100459->100460 100461 f584b7 8 API calls 100460->100461 100462 f56134 100460->100462 100461->100462 100463 f5627c 8 API calls 100462->100463 100470 f5616a 100462->100470 100463->100462 100464 f5627c 8 API calls 100464->100470 100465 f5b25f 8 API calls 100466 f56261 100465->100466 100468 f5684e 8 API calls 100466->100468 100467 f5b25f 8 API calls 100467->100470 100471 f5626d 100468->100471 100469 f5684e 8 API calls 100469->100470 100470->100464 100470->100467 100470->100469 100472 f56238 100470->100472 100471->100356 100472->100465 100472->100471 100474 f7016b 8 API calls 100473->100474 100475 f54fbf 100474->100475 100475->100363 101037 f74f6b FindHandlerForForeignException 101036->101037 101038 f74f84 101037->101038 101039 f74f72 101037->101039 101060 f832ee EnterCriticalSection 101038->101060 101075 f750b9 GetModuleHandleW 101039->101075 101042 f74f77 101042->101038 101076 f750fd GetModuleHandleExW 101042->101076 101043 f74f8b 101047 f75000 101043->101047 101057 f75029 101043->101057 101061 f82538 101043->101061 101051 f75018 101047->101051 101056 f827b1 _abort 5 API calls 101047->101056 101049 f75046 101067 f75078 101049->101067 101050 f75072 101084 f920c9 5 API calls CatchGuardHandler 101050->101084 101052 f827b1 _abort 5 API calls 101051->101052 101052->101057 101056->101051 101064 f75069 101057->101064 101060->101043 101085 f82271 101061->101085 101104 f83336 LeaveCriticalSection 101064->101104 101066 f75042 101066->101049 101066->101050 101105 f8399c 101067->101105 101070 f750a6 101073 f750fd _abort 8 API calls 101070->101073 101071 f75086 GetPEB 101071->101070 101072 f75096 GetCurrentProcess TerminateProcess 101071->101072 101072->101070 101074 f750ae ExitProcess 101073->101074 101075->101042 101077 f75127 GetProcAddress 101076->101077 101078 f7514a 101076->101078 101079 f7513c 101077->101079 101080 f75150 FreeLibrary 101078->101080 101081 f75159 101078->101081 101079->101078 101080->101081 101082 f70e1c CatchGuardHandler 5 API calls 101081->101082 101083 f74f83 101082->101083 101083->101038 101088 f82220 101085->101088 101087 f82295 101087->101047 101089 f8222c ___scrt_is_nonwritable_in_current_image 101088->101089 101096 f832ee EnterCriticalSection 101089->101096 101091 f8223a 101097 f822c1 101091->101097 101095 f82258 __wsopen_s 101095->101087 101096->101091 101100 f822e9 101097->101100 101101 f822e1 101097->101101 101098 f70e1c CatchGuardHandler 5 API calls 101099 f82247 101098->101099 101103 f82265 LeaveCriticalSection _abort 101099->101103 101100->101101 101102 f82d58 _free 20 API calls 101100->101102 101101->101098 101102->101101 101103->101095 101104->101066 101106 f839c1 101105->101106 101107 f839b7 101105->101107 101112 f83367 5 API calls 2 library calls 101106->101112 101109 f70e1c CatchGuardHandler 5 API calls 101107->101109 101110 f75082 101109->101110 101110->101070 101110->101071 101111 f839d8 101111->101107 101112->101111

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 392 f55d78-f55de7 call f5bf07 GetVersionExW call f584b7 397 f94f0c-f94f1f 392->397 398 f55ded 392->398 399 f94f20-f94f24 397->399 400 f55def-f55df1 398->400 401 f94f27-f94f33 399->401 402 f94f26 399->402 403 f94f4b 400->403 404 f55df7-f55e56 call f596d9 call f579ed 400->404 401->399 405 f94f35-f94f37 401->405 402->401 408 f94f52-f94f5e 403->408 416 f950ad-f950b4 404->416 417 f55e5c-f55e5e 404->417 405->400 407 f94f3d-f94f44 405->407 407->397 411 f94f46 407->411 412 f55ecc-f55ee6 GetCurrentProcess IsWow64Process 408->412 411->403 414 f55f45-f55f4b 412->414 415 f55ee8 412->415 418 f55eee-f55efa 414->418 415->418 421 f950d4-f950d7 416->421 422 f950b6 416->422 419 f55e64-f55e67 417->419 420 f94fae-f94fc1 417->420 423 f55f00-f55f0f LoadLibraryA 418->423 424 f950f2-f950f6 GetSystemInfo 418->424 419->412 425 f55e69-f55eab 419->425 426 f94fea-f94fec 420->426 427 f94fc3-f94fcc 420->427 429 f950d9-f950e8 421->429 430 f950c2-f950ca 421->430 428 f950bc 422->428 431 f55f11-f55f1f GetProcAddress 423->431 432 f55f4d-f55f57 GetSystemInfo 423->432 425->412 434 f55ead-f55eb0 425->434 437 f94fee-f95003 426->437 438 f95021-f95024 426->438 435 f94fd9-f94fe5 427->435 436 f94fce-f94fd4 427->436 428->430 429->428 439 f950ea-f950f0 429->439 430->421 431->432 440 f55f21-f55f25 GetNativeSystemInfo 431->440 433 f55f27-f55f29 432->433 447 f55f32-f55f44 433->447 448 f55f2b-f55f2c FreeLibrary 433->448 441 f55eb6-f55ec0 434->441 442 f94f63-f94f6d 434->442 435->412 436->412 443 f95010-f9501c 437->443 444 f95005-f9500b 437->444 445 f9505f-f95062 438->445 446 f95026-f95041 438->446 439->430 440->433 441->408 450 f55ec6 441->450 453 f94f6f-f94f7b 442->453 454 f94f80-f94f8a 442->454 443->412 444->412 445->412 449 f95068-f9508f 445->449 451 f9504e-f9505a 446->451 452 f95043-f95049 446->452 448->447 455 f9509c-f950a8 449->455 456 f95091-f95097 449->456 450->412 451->412 452->412 453->412 457 f94f9d-f94fa9 454->457 458 f94f8c-f94f98 454->458 455->412 456->412 457->412 458->412
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 00F55DA7
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  • GetCurrentProcess.KERNEL32(?,00FEDC2C,00000000,?,?), ref: 00F55ED3
                                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 00F55EDA
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F55F05
                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F55F17
                                  • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F55F25
                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F55F2C
                                  • GetSystemInfo.KERNEL32(?,?,?), ref: 00F55F51
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                  • API String ID: 3290436268-3101561225
                                  • Opcode ID: d23c24702363798d729145c10a06765535924ef53391069072fa902fab2d8b3b
                                  • Instruction ID: ad16c1f73c600a6a42456fc439695d5046030b701ffb6fff2891195ee66c1ed8
                                  • Opcode Fuzzy Hash: d23c24702363798d729145c10a06765535924ef53391069072fa902fab2d8b3b
                                  • Instruction Fuzzy Hash: BAA1D33280A7C5CFDB36CFE874415997FA46B36715B34D89AE9C1A7209C23E4948EB31

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F532EF,?), ref: 00F53342
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F532EF,?), ref: 00F53355
                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,01022418,01022400,?,?,?,?,?,?,00F532EF,?), ref: 00F533C1
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                    • Part of subcall function 00F541E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F533E9,01022418,?,?,?,?,?,?,?,00F532EF,?), ref: 00F54227
                                  • SetCurrentDirectoryW.KERNEL32(?,00000001,01022418,?,?,?,?,?,?,?,00F532EF,?), ref: 00F53442
                                  • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00F93C8A
                                  • SetCurrentDirectoryW.KERNEL32(?,01022418,?,?,?,?,?,?,?,00F532EF,?), ref: 00F93CCB
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,010131F4,01022418,?,?,?,?,?,?,?,00F532EF), ref: 00F93D54
                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 00F93D5B
                                    • Part of subcall function 00F5345A: GetSysColorBrush.USER32(0000000F), ref: 00F53465
                                    • Part of subcall function 00F5345A: LoadCursorW.USER32(00000000,00007F00), ref: 00F53474
                                    • Part of subcall function 00F5345A: LoadIconW.USER32(00000063), ref: 00F5348A
                                    • Part of subcall function 00F5345A: LoadIconW.USER32(000000A4), ref: 00F5349C
                                    • Part of subcall function 00F5345A: LoadIconW.USER32(000000A2), ref: 00F534AE
                                    • Part of subcall function 00F5345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F534C6
                                    • Part of subcall function 00F5345A: RegisterClassExW.USER32(?), ref: 00F53517
                                    • Part of subcall function 00F5353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F53568
                                    • Part of subcall function 00F5353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F53589
                                    • Part of subcall function 00F5353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F532EF,?), ref: 00F5359D
                                    • Part of subcall function 00F5353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F532EF,?), ref: 00F535A6
                                    • Part of subcall function 00F538F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F539C3
                                  Strings
                                  • runas, xrefs: 00F93D4F
                                  • AutoIt, xrefs: 00F93C7F
                                  • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00F93C84
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                  • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                  • API String ID: 683915450-2030392706
                                  • Opcode ID: f5ffb8e704c1283b8b39ce9979fffa46c193e31b8d17f16d0325c18039fb42ed
                                  • Instruction ID: 9ef08b5f0430ac5c79553ab3dbd68efd9658dab69e5e304e5a540ed954e35f37
                                  • Opcode Fuzzy Hash: f5ffb8e704c1283b8b39ce9979fffa46c193e31b8d17f16d0325c18039fb42ed
                                  • Instruction Fuzzy Hash: 08513431108384AEDB25EFA4DC419AE7BB8AF84741F40041CFAC14A156CE798A8DF722
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,00F7504E,?,010198D8,0000000C,00F751A5,?,00000002,00000000), ref: 00F75099
                                  • TerminateProcess.KERNEL32(00000000,?,00F7504E,?,010198D8,0000000C,00F751A5,?,00000002,00000000), ref: 00F750A0
                                  • ExitProcess.KERNEL32 ref: 00F750B2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 50f604c39de9c0f60d5e70545077f6b9dc720907c0e48810e5715725fa951ba8
                                  • Instruction ID: 7263b5341f29ac83b854562a67542f995056b8d8f15e6e9650040f29b6c34d20
                                  • Opcode Fuzzy Hash: 50f604c39de9c0f60d5e70545077f6b9dc720907c0e48810e5715725fa951ba8
                                  • Instruction Fuzzy Hash: 88E0B632800588AFDF216F54DD49E583B6AEB40B91F008015F8198A532DB7AED42EB91

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 fdb958-fdb9b5 call f726d0 3 fdb9b7-fdb9ca call f5c92d 0->3 4 fdb9f3-fdb9f7 0->4 15 fdb9cc-fdb9f1 call f5c92d * 2 3->15 16 fdba27 3->16 5 fdba3c-fdba3f 4->5 6 fdb9f9-fdba1a call f5c92d * 2 4->6 8 fdba54-fdba78 call f58e70 call f54154 5->8 9 fdba41-fdba44 5->9 30 fdba1e-fdba23 6->30 32 fdba7e-fdbad7 call f58e70 call f54154 call f58e70 call f54154 call f58e70 call f54154 8->32 33 fdbb37-fdbb3f 8->33 12 fdba47-fdba4c call f5c92d 9->12 12->8 15->30 21 fdba2a-fdba2e 16->21 26 fdba38-fdba3a 21->26 27 fdba30-fdba36 21->27 26->5 26->8 27->12 30->5 34 fdba25 30->34 81 fdbad9-fdbaf4 call f58e70 call f54154 32->81 82 fdbb05-fdbb35 GetSystemDirectoryW call f7019b GetSystemDirectoryW 32->82 35 fdbb69-fdbb97 GetCurrentDirectoryW call f7019b GetCurrentDirectoryW 33->35 36 fdbb41-fdbb5c call f58e70 call f54154 33->36 34->21 45 fdbb9b 35->45 36->35 53 fdbb5e-fdbb67 call f74cf3 36->53 48 fdbb9f-fdbba3 45->48 50 fdbba5-fdbbcf call f56ab6 * 3 48->50 51 fdbbd4-fdbbe4 call fc0995 48->51 50->51 64 fdbbea-fdbc40 call fc107c call fc0fa2 call fc0e63 51->64 65 fdbbe6-fdbbe8 51->65 53->35 53->51 68 fdbc4d-fdbc51 64->68 96 fdbc42 64->96 65->68 70 fdbcf9-fdbd1d CreateProcessW 68->70 71 fdbc57-fdbc80 call fb1a58 68->71 78 fdbd20-fdbd33 call f701a4 * 2 70->78 86 fdbc89 call fb1d5e 71->86 87 fdbc82-fdbc87 call fb1a91 71->87 101 fdbd8e-fdbd9c CloseHandle 78->101 102 fdbd35-fdbd47 78->102 81->82 107 fdbaf6-fdbaff call f74cf3 81->107 82->45 100 fdbc8e-fdbc9b call f74cf3 86->100 87->100 96->68 115 fdbc9d-fdbca4 100->115 116 fdbca6-fdbcb6 call f74cf3 100->116 109 fdbd9e-fdbda3 101->109 110 fdbdfb 101->110 105 fdbd4c-fdbd5b 102->105 106 fdbd49 102->106 111 fdbd5d 105->111 112 fdbd60-fdbd89 GetLastError call f57ab0 call f5e650 105->112 106->105 107->48 107->82 117 fdbda5-fdbdab CloseHandle 109->117 118 fdbdb0-fdbdb5 109->118 113 fdbdff-fdbe03 110->113 111->112 130 fdbe44-fdbe55 call fc0a31 112->130 123 fdbe05-fdbe0f 113->123 124 fdbe11-fdbe1b 113->124 115->115 115->116 133 fdbcb8-fdbcbf 116->133 134 fdbcc1-fdbcd1 call f74cf3 116->134 117->118 120 fdbdb7-fdbdbd CloseHandle 118->120 121 fdbdc2-fdbdc7 118->121 120->121 127 fdbdc9-fdbdcf CloseHandle 121->127 128 fdbdd4-fdbdf9 call fc1295 call fdbe95 121->128 123->130 131 fdbe1d 124->131 132 fdbe23-fdbe42 call f5e650 CloseHandle 124->132 127->128 128->113 131->132 132->130 133->133 133->134 146 fdbcdc-fdbcf7 call f701a4 * 3 134->146 147 fdbcd3-fdbcda 134->147 146->78 147->146 147->147
                                  APIs
                                  • _wcslen.LIBCMT ref: 00FDBAF7
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBB0F
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBB33
                                  • _wcslen.LIBCMT ref: 00FDBB5F
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBB73
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBB95
                                  • _wcslen.LIBCMT ref: 00FDBC91
                                    • Part of subcall function 00FC0E63: GetStdHandle.KERNEL32(000000F6), ref: 00FC0E82
                                  • _wcslen.LIBCMT ref: 00FDBCAA
                                  • _wcslen.LIBCMT ref: 00FDBCC5
                                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FDBD15
                                  • GetLastError.KERNEL32(00000000), ref: 00FDBD66
                                  • CloseHandle.KERNEL32(?), ref: 00FDBD98
                                  • CloseHandle.KERNEL32(00000000), ref: 00FDBDA9
                                  • CloseHandle.KERNEL32(00000000), ref: 00FDBDBB
                                  • CloseHandle.KERNEL32(00000000), ref: 00FDBDCD
                                  • CloseHandle.KERNEL32(?), ref: 00FDBE42
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                  • String ID:
                                  • API String ID: 2178637699-0
                                  • Opcode ID: 111ce2549f61c0811fa19d9bdffb0142fdfd9041f9d37339b386c9594a8cbb92
                                  • Instruction ID: 427f3e97dd8afffac5f28ed06bd643bb674cde0c3ca3b69c8e72a0b01add936a
                                  • Opcode Fuzzy Hash: 111ce2549f61c0811fa19d9bdffb0142fdfd9041f9d37339b386c9594a8cbb92
                                  • Instruction Fuzzy Hash: FCF1AF71504340DFC715EF24C881B6ABBE2AF85324F19855EF9998B3A2CB34EC45EB52
                                  APIs
                                  • GetInputState.USER32 ref: 00F5EEB7
                                  • timeGetTime.WINMM ref: 00F5F0B7
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F5F1D8
                                  • TranslateMessage.USER32(?), ref: 00F5F22B
                                  • DispatchMessageW.USER32(?), ref: 00F5F239
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F5F24F
                                  • Sleep.KERNEL32(0000000A), ref: 00F5F261
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                  • String ID:
                                  • API String ID: 2189390790-0
                                  • Opcode ID: 75d0d83780199cc144fb017b1f08f449b45662a803db413a3de17bc6f8204364
                                  • Instruction ID: 22bd12791dd341b1246041c9a385d61b91d1760cdf0767291cc3965e7a2268ed
                                  • Opcode Fuzzy Hash: 75d0d83780199cc144fb017b1f08f449b45662a803db413a3de17bc6f8204364
                                  • Instruction Fuzzy Hash: F53201B0A04341DFD738CF24C884B6AB7E4BF82315F144569FA958B291C775E94CEB92

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 00F535DE
                                  • RegisterClassExW.USER32(00000030), ref: 00F53608
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F53619
                                  • InitCommonControlsEx.COMCTL32(?), ref: 00F53636
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F53646
                                  • LoadIconW.USER32(000000A9), ref: 00F5365C
                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F5366B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 2914291525-1005189915
                                  • Opcode ID: c017b25c5cd4206eefb612dc92ea5f564c47e40696f70a55d7f2e65bacf32354
                                  • Instruction ID: 62cd06f161096e8b290b51c7194a0649bc57cd74b9d19c8e2f9c3ddee08d2882
                                  • Opcode Fuzzy Hash: c017b25c5cd4206eefb612dc92ea5f564c47e40696f70a55d7f2e65bacf32354
                                  • Instruction Fuzzy Hash: A921F7B5A0134CAFDB20DFD4E889B9D7BB4FB08740F10411AF651AA294D7B54645DF90

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 524 f909fb-f90a2b call f907cf 527 f90a2d-f90a38 call f7f656 524->527 528 f90a46-f90a52 call f855b1 524->528 535 f90a3a-f90a41 call f7f669 527->535 533 f90a6b-f90ab4 call f9073a 528->533 534 f90a54-f90a69 call f7f656 call f7f669 528->534 544 f90b21-f90b2a GetFileType 533->544 545 f90ab6-f90abf 533->545 534->535 542 f90d1d-f90d23 535->542 546 f90b2c-f90b5d GetLastError call f7f633 CloseHandle 544->546 547 f90b73-f90b76 544->547 549 f90ac1-f90ac5 545->549 550 f90af6-f90b1c GetLastError call f7f633 545->550 546->535 563 f90b63-f90b6e call f7f669 546->563 553 f90b78-f90b7d 547->553 554 f90b7f-f90b85 547->554 549->550 555 f90ac7-f90af4 call f9073a 549->555 550->535 559 f90b89-f90bd7 call f854fa 553->559 554->559 560 f90b87 554->560 555->544 555->550 566 f90bd9-f90be5 call f9094b 559->566 567 f90be7-f90c0b call f904ed 559->567 560->559 563->535 566->567 573 f90c0f-f90c19 call f88a3e 566->573 574 f90c0d 567->574 575 f90c1e-f90c61 567->575 573->542 574->573 577 f90c63-f90c67 575->577 578 f90c82-f90c90 575->578 577->578 582 f90c69-f90c7d 577->582 579 f90d1b 578->579 580 f90c96-f90c9a 578->580 579->542 580->579 583 f90c9c-f90ccf CloseHandle call f9073a 580->583 582->578 586 f90cd1-f90cfd GetLastError call f7f633 call f856c3 583->586 587 f90d03-f90d17 583->587 586->587 587->579
                                  APIs
                                    • Part of subcall function 00F9073A: CreateFileW.KERNELBASE(00000000,00000000,?,00F90AA4,?,?,00000000,?,00F90AA4,00000000,0000000C), ref: 00F90757
                                  • GetLastError.KERNEL32 ref: 00F90B0F
                                  • __dosmaperr.LIBCMT ref: 00F90B16
                                  • GetFileType.KERNELBASE(00000000), ref: 00F90B22
                                  • GetLastError.KERNEL32 ref: 00F90B2C
                                  • __dosmaperr.LIBCMT ref: 00F90B35
                                  • CloseHandle.KERNEL32(00000000), ref: 00F90B55
                                  • CloseHandle.KERNEL32(?), ref: 00F90C9F
                                  • GetLastError.KERNEL32 ref: 00F90CD1
                                  • __dosmaperr.LIBCMT ref: 00F90CD8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: e4473f969579b5f58d69bcf80be845e5089c443f2a734e21997a7294b1b7f1f2
                                  • Instruction ID: d47a515435dd3faa94c49edeb30bcdddd64204fe2bcb1fa54563d397286b2e0b
                                  • Opcode Fuzzy Hash: e4473f969579b5f58d69bcf80be845e5089c443f2a734e21997a7294b1b7f1f2
                                  • Instruction Fuzzy Hash: 31A12832A041488FEF29EF68DC52BAD3BA1AB06324F14015DF815DF3D1DB399912EB52

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00F5551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F94B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00F55539
                                    • Part of subcall function 00F551BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F551E1
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F5534B
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F94BD7
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F94C18
                                  • RegCloseKey.ADVAPI32(?), ref: 00F94C5A
                                  • _wcslen.LIBCMT ref: 00F94CC1
                                  • _wcslen.LIBCMT ref: 00F94CD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                  • API String ID: 98802146-2727554177
                                  • Opcode ID: d0f795a22218ec88d50b5b1be940402c4f673edbacb549414db93aab5adce4ec
                                  • Instruction ID: 61f625a151fed808f18a303393a00ecbbafe1d80a4065f72e81575ab91cb74bb
                                  • Opcode Fuzzy Hash: d0f795a22218ec88d50b5b1be940402c4f673edbacb549414db93aab5adce4ec
                                  • Instruction Fuzzy Hash: FC71CF715043009EC720EF65DC8195BBBE8FF98350F50442EF984CB2A5EF7A9A09DB52

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 00F53465
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00F53474
                                  • LoadIconW.USER32(00000063), ref: 00F5348A
                                  • LoadIconW.USER32(000000A4), ref: 00F5349C
                                  • LoadIconW.USER32(000000A2), ref: 00F534AE
                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F534C6
                                  • RegisterClassExW.USER32(?), ref: 00F53517
                                    • Part of subcall function 00F535AB: GetSysColorBrush.USER32(0000000F), ref: 00F535DE
                                    • Part of subcall function 00F535AB: RegisterClassExW.USER32(00000030), ref: 00F53608
                                    • Part of subcall function 00F535AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F53619
                                    • Part of subcall function 00F535AB: InitCommonControlsEx.COMCTL32(?), ref: 00F53636
                                    • Part of subcall function 00F535AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F53646
                                    • Part of subcall function 00F535AB: LoadIconW.USER32(000000A9), ref: 00F5365C
                                    • Part of subcall function 00F535AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F5366B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 423443420-4155596026
                                  • Opcode ID: 34d3dd7ee061a06105ddbfc8ec678b2071eaba5b9d0d8ecf478006db693f8ba0
                                  • Instruction ID: aed39dfcd7afcf64ddf775eae5b9fd4ed10a699a8147ddca5c15122754219aae
                                  • Opcode Fuzzy Hash: 34d3dd7ee061a06105ddbfc8ec678b2071eaba5b9d0d8ecf478006db693f8ba0
                                  • Instruction Fuzzy Hash: 0A217CB0D00358ABCB308FE5EC94AA97FB4FB4CB50F60801AFA44A6294C3BA05549F80

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 665 f53696-f536ab 666 f536ad-f536b0 665->666 667 f5370b-f5370d 665->667 668 f53711 666->668 669 f536b2-f536b9 666->669 667->666 670 f5370f 667->670 674 f53717-f5371c 668->674 675 f93dce-f93df6 call f52f24 call f6f1c6 668->675 671 f536bf-f536c4 669->671 672 f5378b-f53793 PostQuitMessage 669->672 673 f536f6-f536fe DefWindowProcW 670->673 678 f93e3b-f93e4f call fbc80c 671->678 679 f536ca-f536ce 671->679 682 f5373f-f53741 672->682 681 f53704-f5370a 673->681 676 f53743-f5376a SetTimer RegisterWindowMessageW 674->676 677 f5371e-f53721 674->677 711 f93dfb-f93e02 675->711 676->682 685 f5376c-f53777 CreatePopupMenu 676->685 683 f53727-f53735 KillTimer call f5388e 677->683 684 f93d6f-f93d72 677->684 678->682 704 f93e55 678->704 686 f53795-f5379f call f6fcbb 679->686 687 f536d4-f536d9 679->687 682->681 700 f5373a call f5572c 683->700 690 f93daa-f93dc9 MoveWindow 684->690 691 f93d74-f93d78 684->691 685->682 706 f537a4 686->706 693 f93e20-f93e27 687->693 694 f536df-f536e4 687->694 690->682 698 f93d99-f93da5 SetFocus 691->698 699 f93d7a-f93d7d 691->699 693->673 701 f93e2d-f93e36 call fb1367 693->701 702 f53779-f53789 call f537a6 694->702 703 f536ea-f536f0 694->703 698->682 699->703 707 f93d83-f93d94 call f52f24 699->707 700->682 701->673 702->682 703->673 703->711 704->673 706->682 707->682 711->673 715 f93e08-f93e1b call f5388e call f538f2 711->715 715->673
                                  APIs
                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F53690,?,?), ref: 00F536FE
                                  • KillTimer.USER32(?,00000001,?,?,?,?,?,00F53690,?,?), ref: 00F5372A
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F5374D
                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F53690,?,?), ref: 00F53758
                                  • CreatePopupMenu.USER32 ref: 00F5376C
                                  • PostQuitMessage.USER32(00000000), ref: 00F5378D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                  • String ID: TaskbarCreated
                                  • API String ID: 129472671-2362178303
                                  • Opcode ID: 1f6abcbd9548afcf9b1f29e22ace65b9151388e765f4051538df96a03bf31d27
                                  • Instruction ID: 57440352dd3d5b5ed816b98b9a4d950cd7b1bbf8c119c164831b0ccdeef87f9e
                                  • Opcode Fuzzy Hash: 1f6abcbd9548afcf9b1f29e22ace65b9151388e765f4051538df96a03bf31d27
                                  • Instruction Fuzzy Hash: 00413CB2A081487BDB341F7CEC49B793A59F7093E2F104119FF518A285CA799F48B761

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 721 f52a52-f52a8b 722 f52a91-f52aa7 mciSendStringW 721->722 723 f939f4-f939f5 DestroyWindow 721->723 724 f52aad-f52ab5 722->724 725 f52d08-f52d15 722->725 726 f93a00-f93a0d 723->726 724->726 727 f52abb-f52aca call f52e70 724->727 728 f52d17-f52d32 UnregisterHotKey 725->728 729 f52d3a-f52d41 725->729 730 f93a3c-f93a43 726->730 731 f93a0f-f93a12 726->731 742 f93a4a-f93a56 727->742 743 f52ad0-f52ad8 727->743 728->729 733 f52d34-f52d35 call f52712 728->733 729->724 734 f52d47 729->734 730->726 739 f93a45 730->739 735 f93a1e-f93a21 FindClose 731->735 736 f93a14-f93a1c call f57953 731->736 733->729 734->725 741 f93a27-f93a34 735->741 736->741 739->742 741->730 745 f93a36-f93a37 call fc3c0b 741->745 748 f93a58-f93a5a FreeLibrary 742->748 749 f93a60-f93a67 742->749 746 f93a6e-f93a7b 743->746 747 f52ade-f52b03 call f5e650 743->747 745->730 750 f93a7d-f93a9a VirtualFree 746->750 751 f93aa2-f93aa9 746->751 759 f52b05 747->759 760 f52b3a-f52b45 CoUninitialize 747->760 748->749 749->742 754 f93a69 749->754 750->751 755 f93a9c-f93a9d call fc3c71 750->755 751->746 756 f93aab 751->756 754->746 755->751 761 f93ab0-f93ab4 756->761 763 f52b08-f52b38 call f53047 call f52ff0 759->763 760->761 762 f52b4b-f52b50 760->762 761->762 766 f93aba-f93ac0 761->766 764 f52b56-f52b60 762->764 765 f93ac5-f93ad2 call fc3c45 762->765 763->760 768 f52b66-f52b71 call f5bd2c 764->768 769 f52d49-f52d56 call f6fb27 764->769 779 f93ad4 765->779 766->762 781 f52b77 call f52f86 768->781 769->768 782 f52d5c 769->782 783 f93ad9-f93afb call f7015d 779->783 784 f52b7c-f52be7 call f52e17 call f701a4 call f52dbe call f5bd2c call f5e650 call f52e40 call f701a4 781->784 782->769 789 f93afd 783->789 784->783 810 f52bed-f52c11 call f701a4 784->810 792 f93b02-f93b24 call f7015d 789->792 798 f93b26 792->798 802 f93b2b-f93b4d call f7015d 798->802 808 f93b4f 802->808 811 f93b54-f93b61 call fb6d63 808->811 810->792 817 f52c17-f52c3b call f701a4 810->817 816 f93b63 811->816 819 f93b68-f93b75 call f6bd6a 816->819 817->802 822 f52c41-f52c5b call f701a4 817->822 825 f93b77 819->825 822->811 827 f52c61-f52c85 call f52e17 call f701a4 822->827 828 f93b7c-f93b89 call fc3b9f 825->828 827->819 836 f52c8b-f52c93 827->836 835 f93b8b 828->835 838 f93b90-f93b9d call fc3c26 835->838 836->828 837 f52c99-f52caa call f5bd2c call f52f4c 836->837 845 f52caf-f52cb7 837->845 843 f93b9f 838->843 846 f93ba4-f93bb1 call fc3c26 843->846 845->838 847 f52cbd-f52ccb 845->847 852 f93bb3 846->852 847->846 849 f52cd1-f52d07 call f5bd2c * 3 call f52eb8 847->849 852->852
                                  APIs
                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F52A9B
                                  • CoUninitialize.COMBASE ref: 00F52B3A
                                  • UnregisterHotKey.USER32(?), ref: 00F52D1F
                                  • DestroyWindow.USER32(?), ref: 00F939F5
                                  • FreeLibrary.KERNEL32(?), ref: 00F93A5A
                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F93A87
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                  • String ID: close all
                                  • API String ID: 469580280-3243417748
                                  • Opcode ID: 568b918cd432aab517795bd512c787e7682be7571203889513d755e41dae494b
                                  • Instruction ID: eabaf4136a568246a99367d10a13422731855cf4b995a2b7b76dc98b60565cfc
                                  • Opcode Fuzzy Hash: 568b918cd432aab517795bd512c787e7682be7571203889513d755e41dae494b
                                  • Instruction Fuzzy Hash: 37D1BE31701212CFDB19EF15C889B29F7A0BF45711F1442ADE94AAB252CB74ED16EF81

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 860 f890d5-f890e5 861 f890ff-f89101 860->861 862 f890e7-f890fa call f7f656 call f7f669 860->862 863 f89469-f89476 call f7f656 call f7f669 861->863 864 f89107-f8910d 861->864 876 f89481 862->876 882 f8947c call f82b7c 863->882 864->863 868 f89113-f8913e 864->868 868->863 871 f89144-f8914d 868->871 874 f8914f-f89162 call f7f656 call f7f669 871->874 875 f89167-f89169 871->875 874->882 879 f8916f-f89173 875->879 880 f89465-f89467 875->880 881 f89484-f89489 876->881 879->880 884 f89179-f8917d 879->884 880->881 882->876 884->874 887 f8917f-f89196 884->887 888 f89198-f8919b 887->888 889 f891b3-f891bc 887->889 891 f8919d-f891a3 888->891 892 f891a5-f891ae 888->892 893 f891da-f891e4 889->893 894 f891be-f891d5 call f7f656 call f7f669 call f82b7c 889->894 891->892 891->894 895 f8924f-f89269 892->895 897 f891eb-f891ec call f83bb0 893->897 898 f891e6-f891e8 893->898 925 f8939c 894->925 900 f8933d-f89346 call f8fc3b 895->900 901 f8926f-f8927f 895->901 906 f891f1-f89209 call f82d58 * 2 897->906 898->897 914 f89348-f8935a 900->914 915 f893b9 900->915 901->900 905 f89285-f89287 901->905 905->900 910 f8928d-f892b3 905->910 929 f8920b-f89221 call f7f669 call f7f656 906->929 930 f89226-f8924c call f897b4 906->930 910->900 911 f892b9-f892cc 910->911 911->900 916 f892ce-f892d0 911->916 914->915 920 f8935c-f8936b GetConsoleMode 914->920 918 f893bd-f893d5 ReadFile 915->918 916->900 921 f892d2-f892fd 916->921 923 f89431-f8943c GetLastError 918->923 924 f893d7-f893dd 918->924 920->915 926 f8936d-f89371 920->926 921->900 928 f892ff-f89312 921->928 931 f8943e-f89450 call f7f669 call f7f656 923->931 932 f89455-f89458 923->932 924->923 933 f893df 924->933 927 f8939f-f893a9 call f82d58 925->927 926->918 934 f89373-f8938d ReadConsoleW 926->934 927->881 928->900 936 f89314-f89316 928->936 929->925 930->895 931->925 943 f8945e-f89460 932->943 944 f89395-f8939b call f7f633 932->944 940 f893e2-f893f4 933->940 941 f893ae-f893b7 934->941 942 f8938f GetLastError 934->942 936->900 946 f89318-f89338 936->946 940->927 950 f893f6-f893fa 940->950 941->940 942->944 943->927 944->925 946->900 955 f893fc-f8940c call f88df1 950->955 956 f89413-f8941e 950->956 967 f8940f-f89411 955->967 957 f8942a-f8942f call f88c31 956->957 958 f89420 call f88f41 956->958 965 f89425-f89428 957->965 958->965 965->967 967->927
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38de82b48bcfa1ef935d95a6dc0aa93109cd60a9a62ef813c3ef47aeb142b567
                                  • Instruction ID: 758f092f3fe9995436ed6976b1098a437e28afca7301764fe46d256e7ae5e992
                                  • Opcode Fuzzy Hash: 38de82b48bcfa1ef935d95a6dc0aa93109cd60a9a62ef813c3ef47aeb142b567
                                  • Instruction Fuzzy Hash: 82C12771E082499FDF11EFA8CC45BFD7BB4AF09310F184199E864A7392C7B49942EB61

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 968 f5353a-f535aa CreateWindowExW * 2 ShowWindow * 2
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F53568
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F53589
                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F532EF,?), ref: 00F5359D
                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F532EF,?), ref: 00F535A6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: ffdb79b38c8d2ee98efb731fc6a7ce2626a1d30e48e1d4a7fa00729f1e6302e4
                                  • Instruction ID: a5a765bc0f3b2a994129d4fb480293c9bc93296b716e3b9135fe1310d0349f5f
                                  • Opcode Fuzzy Hash: ffdb79b38c8d2ee98efb731fc6a7ce2626a1d30e48e1d4a7fa00729f1e6302e4
                                  • Instruction Fuzzy Hash: 75F05E706002D47AE7310B536C48E373EBDD7CBF10F20402EF904AB154C26A0851EBB1

                                  Control-flow Graph

                                  APIs
                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F95110
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F56049
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_wcslen
                                  • String ID: Line %d: $AutoIt -
                                  • API String ID: 2289894680-4094128768
                                  • Opcode ID: 50f27fa8b1c256e9980de4bf694f5623af9eca593fc1f6cbcac2bc88bb9106f0
                                  • Instruction ID: 9e33d78dbf1d2a91dcb630673e3cb8798c4ed0ce697b2210e9e5ccde62b31512
                                  • Opcode Fuzzy Hash: 50f27fa8b1c256e9980de4bf694f5623af9eca593fc1f6cbcac2bc88bb9106f0
                                  • Instruction Fuzzy Hash: 3F41E5714083046FC721EB60DC41ADF77DCAF54721F10492EFA9593091EB38964DEB92

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1020 f555f8-f55603 1021 f55675-f55677 1020->1021 1022 f55605-f5560a 1020->1022 1023 f55668-f5566b 1021->1023 1022->1021 1024 f5560c-f55624 RegOpenKeyExW 1022->1024 1024->1021 1025 f55626-f55645 RegQueryValueExW 1024->1025 1026 f55647-f55652 1025->1026 1027 f5565c-f55667 RegCloseKey 1025->1027 1028 f55654-f55656 1026->1028 1029 f5566c-f55673 1026->1029 1027->1023 1030 f5565a 1028->1030 1029->1030 1030->1027
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F555EB,SwapMouseButtons,00000004,?), ref: 00F5561C
                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F555EB,SwapMouseButtons,00000004,?), ref: 00F5563D
                                  • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F555EB,SwapMouseButtons,00000004,?), ref: 00F5565F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: Control Panel\Mouse
                                  • API String ID: 3677997916-824357125
                                  • Opcode ID: b1196ae2d364d38f2ddd6d69b97459538f98c95eb136730b155c0a16c1bcaa6c
                                  • Instruction ID: b6d4bac544d6af3aedce85e85cebb3518b220fd1eb02ef2c9b382c7844318f34
                                  • Opcode Fuzzy Hash: b1196ae2d364d38f2ddd6d69b97459538f98c95eb136730b155c0a16c1bcaa6c
                                  • Instruction Fuzzy Hash: 48117C75611648BFDB208F64CC90EAF7BBCEF00B55F444469FA05D7120D6719E44ABA0
                                  Strings
                                  • Variable must be of type 'Object'., xrefs: 00FA486A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Variable must be of type 'Object'.
                                  • API String ID: 0-109567571
                                  • Opcode ID: 21209635c56abf4ef8a8113ddc68cc0ecaf442f1ebccac0bd1150c0665f83c41
                                  • Instruction ID: c6b5aab5140e1b1da92fc5f2faf6e1fae16dc0a25e8159f778a997aed304682e
                                  • Opcode Fuzzy Hash: 21209635c56abf4ef8a8113ddc68cc0ecaf442f1ebccac0bd1150c0665f83c41
                                  • Instruction Fuzzy Hash: 27C2BF71E00205DFCB20CF58C881BAEB7F1BF49311F2481A9EA45AB351D779AD49EB91
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 00F615A2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Init_thread_footer
                                  • String ID:
                                  • API String ID: 1385522511-0
                                  • Opcode ID: 753a175adb6b9b19f3b86b58365248c1ed901551f911cb802ebd1c8060b0205f
                                  • Instruction ID: 2786c1f0b32f8ab73d545fb63b7856344d2657766bc528af4af5c62fc7d05c6f
                                  • Opcode Fuzzy Hash: 753a175adb6b9b19f3b86b58365248c1ed901551f911cb802ebd1c8060b0205f
                                  • Instruction Fuzzy Hash: 93B26BB5A08341CFDB24CF18C480A2AB7F1BF99710F28895DE9858B351DB75EC45EB92

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1998 f7016b-f7016e 1999 f7017d-f70180 call f7ed9c 1998->1999 2001 f70185-f70188 1999->2001 2002 f70170-f7017b call f7523d 2001->2002 2003 f7018a-f7018b 2001->2003 2002->1999 2006 f7018c-f70190 2002->2006 2007 f70196-f709fd call f7092c call f73634 2006->2007 2008 f709fe-f70a20 call f7095f call f73634 2006->2008 2007->2008 2017 f70a27 2008->2017 2018 f70a22 2008->2018 2018->2017
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00F709F8
                                    • Part of subcall function 00F73634: RaiseException.KERNEL32(?,?,?,00F70A1A,?,00000000,?,?,?,?,?,?,00F70A1A,00000000,01019758,00000000), ref: 00F73694
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00F70A15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Exception@8Throw$ExceptionRaise
                                  • String ID: Unknown exception
                                  • API String ID: 3476068407-410509341
                                  • Opcode ID: 5823dabe2016df818b3d37ca559f22ba174a877c564e1a01038837e285e6fb6a
                                  • Instruction ID: a0c3632974717af8fd84f58e84d5e08ae2403a93dd6338a6b572441c8281be0a
                                  • Opcode Fuzzy Hash: 5823dabe2016df818b3d37ca559f22ba174a877c564e1a01038837e285e6fb6a
                                  • Instruction Fuzzy Hash: 06F0AF3490020DF79B00BAA5DC56D9D777C5F00720BA0C167BA1C965A3EFB8EA56F582

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2020 fd88b6-fd8930 call f58e70 2023 fd8977-fd89a8 call fd9632 2020->2023 2024 fd8932-fd8954 call f5e650 2020->2024 2031 fd89ee-fd8a0b 2023->2031 2032 fd89aa-fd89cb call f5e650 2023->2032 2029 fd8959-fd8969 2024->2029 2030 fd8956 2024->2030 2036 fd896e-fd8972 2029->2036 2037 fd896b 2029->2037 2030->2029 2034 fd8a11-fd8a1c 2031->2034 2035 fd8be2-fd8be6 2031->2035 2043 fd89cd 2032->2043 2044 fd89d0-fd89e0 2032->2044 2041 fd8a20-fd8a90 call fb4a0c call f58e70 call fd8e7c 2034->2041 2039 fd8dac-fd8dc1 call fd9843 2035->2039 2040 fd8bec-fd8bfa call fc2790 2035->2040 2042 fd8e66-fd8e77 call f5bd2c 2036->2042 2037->2036 2056 fd8bfe-fd8c3c call fd87e3 call fd99f5 call f70000 2039->2056 2057 fd8dc7-fd8ddb call f5e650 2039->2057 2040->2056 2072 fd8d5f-fd8d80 call f5e650 2041->2072 2073 fd8a96-fd8aaa 2041->2073 2043->2044 2050 fd89e5-fd89e9 2044->2050 2051 fd89e2 2044->2051 2055 fd8e5f-fd8e65 call f701a4 2050->2055 2051->2050 2055->2042 2083 fd8c41-fd8c43 2056->2083 2068 fd8e40-fd8e48 2057->2068 2068->2055 2070 fd8e4a-fd8e5d call f7015d 2068->2070 2070->2055 2089 fd8d85-fd8d91 2072->2089 2090 fd8d82 2072->2090 2074 fd8bac-fd8bb3 2073->2074 2075 fd8ab0-fd8ab8 2073->2075 2079 fd8bba-fd8bd8 call f5bd2c 2074->2079 2075->2074 2080 fd8abe-fd8ad4 2075->2080 2079->2041 2100 fd8bde 2079->2100 2087 fd8d1d-fd8d3f call f5e650 2080->2087 2088 fd8ada-fd8b07 call fc27da 2080->2088 2084 fd8c5f-fd8c91 call f57d51 call f583b0 2083->2084 2085 fd8c45-fd8c59 call fc3ef6 GetCurrentProcess TerminateProcess 2083->2085 2118 fd8caf-fd8cb8 2084->2118 2119 fd8c93-fd8caa call f61c50 call fd94da 2084->2119 2085->2084 2108 fd8d44-fd8d54 2087->2108 2109 fd8d41 2087->2109 2105 fd8b09-fd8b24 2088->2105 2106 fd8b4a-fd8b5a 2088->2106 2092 fd8d96 2089->2092 2093 fd8d93 2089->2093 2090->2089 2099 fd8d9a-fd8da7 call f5bd2c 2092->2099 2093->2092 2099->2068 2100->2035 2111 fd8b26-fd8b38 2105->2111 2113 fd8b5c-fd8b5e 2106->2113 2114 fd8b60 2106->2114 2115 fd8d59-fd8d5d 2108->2115 2116 fd8d56 2108->2116 2109->2108 2111->2111 2117 fd8b3a-fd8b46 2111->2117 2120 fd8b62-fd8b72 2113->2120 2114->2120 2115->2099 2116->2115 2117->2106 2124 fd8cbe-fd8cc5 2118->2124 2125 fd8e22-fd8e26 2118->2125 2119->2118 2122 fd8ba9-fd8baa 2120->2122 2123 fd8b74-fd8b7a 2120->2123 2122->2079 2128 fd8b7c-fd8b9f 2123->2128 2129 fd8cc9-fd8cf2 call f61c50 2124->2129 2125->2068 2126 fd8e28-fd8e34 2125->2126 2126->2068 2130 fd8e36-fd8e3a FreeLibrary 2126->2130 2128->2128 2132 fd8ba1-fd8ba5 2128->2132 2135 fd8dfc-fd8e07 call fd94da 2129->2135 2136 fd8cf8-fd8d0a 2129->2136 2130->2068 2132->2122 2140 fd8e0c-fd8e1c 2135->2140 2138 fd8ddd-fd8dfa call fc2790 call f5e650 2136->2138 2139 fd8d10-fd8d18 call f5b3fe 2136->2139 2138->2140 2139->2140 2140->2125 2140->2129
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FD8C52
                                  • TerminateProcess.KERNEL32(00000000), ref: 00FD8C59
                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 00FD8E3A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$CurrentFreeLibraryTerminate
                                  • String ID:
                                  • API String ID: 146820519-0
                                  • Opcode ID: 8a07b5c5e142a90b78645310fbafc9c99f32602c4f7b6b009d232c7103b61754
                                  • Instruction ID: fe61a5f56c4ebdb1c9b2f9c86f6985bbc88f052edff66ea8d92a8a83e7af8e65
                                  • Opcode Fuzzy Hash: 8a07b5c5e142a90b78645310fbafc9c99f32602c4f7b6b009d232c7103b61754
                                  • Instruction Fuzzy Hash: 41126E719043419FC714DF24C484B2ABBE6FF84364F18895EE8898B392CB75E946DF92
                                  APIs
                                    • Part of subcall function 00F53205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F53236
                                    • Part of subcall function 00F53205: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F5323E
                                    • Part of subcall function 00F53205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F53249
                                    • Part of subcall function 00F53205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F53254
                                    • Part of subcall function 00F53205: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F5325C
                                    • Part of subcall function 00F53205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F53264
                                    • Part of subcall function 00F5318C: RegisterWindowMessageW.USER32(00000004,?,00F52906), ref: 00F531E4
                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F529AC
                                  • OleInitialize.OLE32 ref: 00F529CA
                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 00F939E7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                  • String ID:
                                  • API String ID: 1986988660-0
                                  • Opcode ID: b5b6b83f77ad766ea9f2c80bfa3984fce04d3217bd54691db5762c4f7dffa579
                                  • Instruction ID: 0e8739717a1cc3928dffe5845f3ca6bbb5618c947c482f3132065bd6ff678517
                                  • Opcode Fuzzy Hash: b5b6b83f77ad766ea9f2c80bfa3984fce04d3217bd54691db5762c4f7dffa579
                                  • Instruction Fuzzy Hash: 3A71B7B09012608EC3B8DFF9E9696157AF0FB483053B0812EE58AC735AEB7E8545DF51
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00F56CA1
                                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00F56CB1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: c57d4062d6412c87672c7629e7370d9d75e5811c5ef34b2e66e52be19dab9e8f
                                  • Instruction ID: dbbb6258042d0944cc87d8675db08c455f26ee460ada8141da9bfd03fbeaf08c
                                  • Opcode Fuzzy Hash: c57d4062d6412c87672c7629e7370d9d75e5811c5ef34b2e66e52be19dab9e8f
                                  • Instruction Fuzzy Hash: 05315C71A00609EFDB14CF68C984B99B7B5FB04726F148629ED25D7340C771BD98EB90
                                  APIs
                                    • Part of subcall function 00F55F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F56049
                                  • KillTimer.USER32(?,00000001,?,?), ref: 00F6FD44
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F6FD53
                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FAFDD3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_Timer$Kill
                                  • String ID:
                                  • API String ID: 3500052701-0
                                  • Opcode ID: b86f17c05bcd4dbfc7d8d83f2d8b96feba93616f25fa46f51a09fb21ad4b11de
                                  • Instruction ID: 7206c627442ccadb9f042e3f993e9e87f3291f38ac0827973bdd363fcd3d6cde
                                  • Opcode Fuzzy Hash: b86f17c05bcd4dbfc7d8d83f2d8b96feba93616f25fa46f51a09fb21ad4b11de
                                  • Instruction Fuzzy Hash: A931C5B1904344AFEB32CF748885BE6BBEC9B02318F0004AED5D99B241C7746A89DB51
                                  APIs
                                  • CloseHandle.KERNELBASE(00000000,00000000,?,?,00F8895C,?,01019CE8,0000000C), ref: 00F88A94
                                  • GetLastError.KERNEL32(?,00F8895C,?,01019CE8,0000000C), ref: 00F88A9E
                                  • __dosmaperr.LIBCMT ref: 00F88AC9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID:
                                  • API String ID: 2583163307-0
                                  • Opcode ID: b7489991aed39f34a2581440fc96e3a04e1716bc0198caf8e9de69ad7cb93e5e
                                  • Instruction ID: 20677fc2260a207b1c7fcd7c21d1786521bbce7eecee777953a07c1585b46e51
                                  • Opcode Fuzzy Hash: b7489991aed39f34a2581440fc96e3a04e1716bc0198caf8e9de69ad7cb93e5e
                                  • Instruction Fuzzy Hash: F7016B33A051546BD26873745C85BFE37499B82FB4F69021BF8188B0D2DE2C9C86B390
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00F897CA,FF8BC369,00000000,00000002,00000000), ref: 00F89754
                                  • GetLastError.KERNEL32(?,00F897CA,FF8BC369,00000000,00000002,00000000,?,00F85EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00F76F61), ref: 00F8975E
                                  • __dosmaperr.LIBCMT ref: 00F89765
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer__dosmaperr
                                  • String ID:
                                  • API String ID: 2336955059-0
                                  • Opcode ID: c16749b86933844992b3bea103015fda3a1788834ec6de9456e2bbc185d2e21f
                                  • Instruction ID: 6b851711241064a37b952389b63dc3a9c28f05e3cf9b5be95849259e7461e66f
                                  • Opcode Fuzzy Hash: c16749b86933844992b3bea103015fda3a1788834ec6de9456e2bbc185d2e21f
                                  • Instruction Fuzzy Hash: BE017033A24118AFCB05AFA9DC45CFE3B2ADF85330B280259F8158B190EA71DD01FB90
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 00F62FB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Init_thread_footer
                                  • String ID: CALL
                                  • API String ID: 1385522511-4196123274
                                  • Opcode ID: 59f560dfcc41aefece8641cecf85c2cc8752bc43fe3355d0c43bd188a8fb8948
                                  • Instruction ID: 9b1e5027dc1b77c91414d7ca8597e7388772ca218d4e813742b2a8c411c4b898
                                  • Opcode Fuzzy Hash: 59f560dfcc41aefece8641cecf85c2cc8752bc43fe3355d0c43bd188a8fb8948
                                  • Instruction Fuzzy Hash: 82229BB1A087019FC714DF14C880B2ABBF1BF99324F14891DF4968B3A2D776E945EB42
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8441eea84cd78a4ac62a6ef27863e7fea6c73234117c767cd048baf0651b5b78
                                  • Instruction ID: f33ef0a7302030c5e9d3be8cf0ff3eb1e23e756d461a286c56c73ef69fc7c882
                                  • Opcode Fuzzy Hash: 8441eea84cd78a4ac62a6ef27863e7fea6c73234117c767cd048baf0651b5b78
                                  • Instruction Fuzzy Hash: 8B32E1B1A00209DFDB20DF54CC81BAEB7B4FF46320F188529E855EB2A1DB75AD44EB51
                                  APIs
                                  • GetOpenFileNameW.COMDLG32(?), ref: 00F94115
                                    • Part of subcall function 00F5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F55558,?,?,00F94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F5559E
                                    • Part of subcall function 00F539DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F539FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Name$Path$FileFullLongOpen
                                  • String ID: X
                                  • API String ID: 779396738-3081909835
                                  • Opcode ID: 641de30c7d2c8402cc0d49dc536d0eeb4947031310cccab3ed9ca90c02580ee0
                                  • Instruction ID: d609562262f6f38f5c1312bb4a6491a4f2fd5c87e0bc212560d0ba2d25d57887
                                  • Opcode Fuzzy Hash: 641de30c7d2c8402cc0d49dc536d0eeb4947031310cccab3ed9ca90c02580ee0
                                  • Instruction Fuzzy Hash: 6A21F371E002889BDF11DF98CC05BEE7BFC9F48311F00401AE945A7285DBBC9A8D9BA1
                                  APIs
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F539C3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_
                                  • String ID:
                                  • API String ID: 1144537725-0
                                  • Opcode ID: 84c8333b11b787ab26c2b7adb27bf39215bbea528eb3aa2158cba6e5ed5c3889
                                  • Instruction ID: a4d7f1a972523147ce8c056fd31f14724ab57a0627c9645040c00180c0516c3a
                                  • Opcode Fuzzy Hash: 84c8333b11b787ab26c2b7adb27bf39215bbea528eb3aa2158cba6e5ed5c3889
                                  • Instruction Fuzzy Hash: 6131C3B09047018FD731DF68D884797BBE8FF48755F10092EEADA87240E7B5A948DB52
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F53B33,?,00008000), ref: 00F56E80
                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F53B33,?,00008000), ref: 00F959A2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 09948331f5c8afd15a6fd6c88dba3d82728a90e84b7f3d10c28a53d18b731082
                                  • Instruction ID: 33779a704f8351ba00dbec5c370fc7861b7b2c43b3e7e823c5988c94d8398263
                                  • Opcode Fuzzy Hash: 09948331f5c8afd15a6fd6c88dba3d82728a90e84b7f3d10c28a53d18b731082
                                  • Instruction Fuzzy Hash: 0D018031545225BAE7710A26CC0EF977F98EF02B71F118210BEA8AE1E0C7B45858EB94
                                  APIs
                                  • IsThemeActive.UXTHEME ref: 00F532C4
                                    • Part of subcall function 00F5326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F53282
                                    • Part of subcall function 00F5326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F53299
                                    • Part of subcall function 00F53312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F532EF,?), ref: 00F53342
                                    • Part of subcall function 00F53312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F532EF,?), ref: 00F53355
                                    • Part of subcall function 00F53312: GetFullPathNameW.KERNEL32(00007FFF,?,?,01022418,01022400,?,?,?,?,?,?,00F532EF,?), ref: 00F533C1
                                    • Part of subcall function 00F53312: SetCurrentDirectoryW.KERNEL32(?,00000001,01022418,?,?,?,?,?,?,?,00F532EF,?), ref: 00F53442
                                  • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00F532FE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                  • String ID:
                                  • API String ID: 1550534281-0
                                  • Opcode ID: 8a1b324520b1c1c8cb09142b649b0e039ae46cb6029de0225e75a27660bd7e6f
                                  • Instruction ID: 54310a429e597e74d43b10c35e47a5096b06ba2e97d2531b692f5b0bfba71e1c
                                  • Opcode Fuzzy Hash: 8a1b324520b1c1c8cb09142b649b0e039ae46cb6029de0225e75a27660bd7e6f
                                  • Instruction Fuzzy Hash: 5BF0B4315143449FE3306FA4EC0AB243B90A708706F648405FA48890D6DBBF8454AF00
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 00F5CE8E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Init_thread_footer
                                  • String ID:
                                  • API String ID: 1385522511-0
                                  • Opcode ID: d4a73799d84edfc6a368a2785ac2d9155e635c3f91f1d29589e6865f5af70675
                                  • Instruction ID: a98f875568a320eaa030d0ba7a8bbbfd7b46db02c0a04db7663709440a3882aa
                                  • Opcode Fuzzy Hash: d4a73799d84edfc6a368a2785ac2d9155e635c3f91f1d29589e6865f5af70675
                                  • Instruction Fuzzy Hash: 6B32C1B5E002059FCB20CF14C885BBAB7B5FF49321F198059EE56AB351C778AD45EB90
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 00FD628D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Init_thread_footer
                                  • String ID:
                                  • API String ID: 1385522511-0
                                  • Opcode ID: cb1897d1be2351d55563f189b2579c1783e9b41ace9f7a5adcd0b75ec8b393bf
                                  • Instruction ID: 4e11fd62124c4c5f7deed9b22429a10fb425274a9cc6eab2a1c6b244cd670f69
                                  • Opcode Fuzzy Hash: cb1897d1be2351d55563f189b2579c1783e9b41ace9f7a5adcd0b75ec8b393bf
                                  • Instruction Fuzzy Hash: B7719B31A00115AFCB24CF54C880ABAB7B6FF49310F28802EF945DB381D779AD95EB50
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3770b1f8e6fcddb72242fce5dd0959559e3ae346de30db02ca504f36100f7b4
                                  • Instruction ID: 2705b74d3b2d8b26f822d1707666f4bf74747062ccadaa55ed4c65adbbc15b90
                                  • Opcode Fuzzy Hash: c3770b1f8e6fcddb72242fce5dd0959559e3ae346de30db02ca504f36100f7b4
                                  • Instruction Fuzzy Hash: 7C51D636E00108AFDB10DF58CC40BA97BB1AB85364F19C16AE81C9B392D7719D46DB91
                                  APIs
                                  • CharLowerBuffW.USER32(?,?), ref: 00FBFBE3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: BuffCharLower
                                  • String ID:
                                  • API String ID: 2358735015-0
                                  • Opcode ID: f8f3013b56bfd54efc5e35879b9b7a015d3175be84f943d8d83258d88c891f00
                                  • Instruction ID: 8f799b14f5183173856e57348ba6fe7cf3afaa1164624d129b551b6455d2c3b5
                                  • Opcode Fuzzy Hash: f8f3013b56bfd54efc5e35879b9b7a015d3175be84f943d8d83258d88c891f00
                                  • Instruction Fuzzy Hash: 2C41A4B2900209AFCB11EF75CC819EEB7B8EF48314B11853EE916D7251EB70DA48DB50
                                  APIs
                                    • Part of subcall function 00F56332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F5637F,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F5633E
                                    • Part of subcall function 00F56332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F56350
                                    • Part of subcall function 00F56332: FreeLibrary.KERNEL32(00000000,?,?,00F5637F,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F56362
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F5639F
                                    • Part of subcall function 00F562FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F954C3,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F56304
                                    • Part of subcall function 00F562FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F56316
                                    • Part of subcall function 00F562FB: FreeLibrary.KERNEL32(00000000,?,?,00F954C3,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F56329
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Library$Load$AddressFreeProc
                                  • String ID:
                                  • API String ID: 2632591731-0
                                  • Opcode ID: 5138814acc1dc269c81186466c7c49640e287dc1e1f932c56262d7256904ad81
                                  • Instruction ID: 61272b2fa793233fb48c4e2c6cc1001d63ba3148c9745d2b6096c68bcea89291
                                  • Opcode Fuzzy Hash: 5138814acc1dc269c81186466c7c49640e287dc1e1f932c56262d7256904ad81
                                  • Instruction Fuzzy Hash: 9F112B32600205AACF14FB64CC02BAD77A19F50752F50842DFA52EB1C1EEB89A49B750
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: __wsopen_s
                                  • String ID:
                                  • API String ID: 3347428461-0
                                  • Opcode ID: e1066a91c7eb7be8ce269480b8a051585fb2f70a8039ee4802599e8761acd743
                                  • Instruction ID: b99c9889d28a05823ca92c27b3627dba7d9202bd8890c226cbd63233761dc68e
                                  • Opcode Fuzzy Hash: e1066a91c7eb7be8ce269480b8a051585fb2f70a8039ee4802599e8761acd743
                                  • Instruction Fuzzy Hash: 2E112A7690410AAFCF16DF58E941ADE7BF5EF48310F104069F809AB351DA31EA12DBA5
                                  APIs
                                  • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00F56B73,?,00010000,00000000,00000000,00000000,00000000), ref: 00F5B0AC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: aeb2a17c9b6ad06c9f11df223e995832a277ad712159b47ee42734a08f7cd9bd
                                  • Instruction ID: 0b71a4723c5f9678a555dc314e4a2388dcd8ff210430039ab9bdb6985ffeebf4
                                  • Opcode Fuzzy Hash: aeb2a17c9b6ad06c9f11df223e995832a277ad712159b47ee42734a08f7cd9bd
                                  • Instruction Fuzzy Hash: D4114832200705DFD730CF15C880B67B7E9EF45365F10C42EEAAA8BA90C771A949EB60
                                  APIs
                                    • Part of subcall function 00F8500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00F831B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 00F8504E
                                  • _free.LIBCMT ref: 00F853FC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                  • Instruction ID: 96396f116624a905b9b84b63735b95a890fd62ea30263c53a935e4f6ad711cf3
                                  • Opcode Fuzzy Hash: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                  • Instruction Fuzzy Hash: 6F0149B36047096BE3219F65DC45A9AFBDDEB89370F25061DE5D4832C0EA70A805CB74
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                  • Instruction ID: 16c83711996b42462fbdf8e05bf731a2801d86b6c42c61f55c00cbf9026a8958
                                  • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                  • Instruction Fuzzy Hash: C4F02833901A249BD6313A6A9C05BDA33A89F46374F108757FA6D921D1EF78D802B793
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID:
                                  • API String ID: 176396367-0
                                  • Opcode ID: 41857fa16978e823efbc9f025671a5b1dff55116fb35f6b10a015bb473353f75
                                  • Instruction ID: bb0d720854c01871de4f8f516029e32dc3d5036d91d83184fa3435ddafafabc3
                                  • Opcode Fuzzy Hash: 41857fa16978e823efbc9f025671a5b1dff55116fb35f6b10a015bb473353f75
                                  • Instruction Fuzzy Hash: F1F0F4B3600A00BEC7119F28CC06A6ABB98EF44360F50C22AFA19CB1D0DB75E4149AA0
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00F831B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 00F8504E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 9524fdd0bb0c35a4c00bd4f570a0abe21892420f8f9f676d324d14469a594e9f
                                  • Instruction ID: 447c3f3feeb143b8e9a24b6b39c1562e75440e47dda5a5890f4585034b1aa76e
                                  • Opcode Fuzzy Hash: 9524fdd0bb0c35a4c00bd4f570a0abe21892420f8f9f676d324d14469a594e9f
                                  • Instruction Fuzzy Hash: AEF0E932E05E2667DB313E629C01BDA3748AF41FB2B148016FC08A6191CA78D800B7E1
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A99,?,0000015D,?,?,?,?,00F785D0,000000FF,00000000,?,?), ref: 00F83BE2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 1638d331be7318d6613fa6f5ec52e3957e0e4715eb122bfee248f5329287b49e
                                  • Instruction ID: 93974ae40554177b081cd305662b7dedd1cb75891f54ac366ef1206e29aa9f5a
                                  • Opcode Fuzzy Hash: 1638d331be7318d6613fa6f5ec52e3957e0e4715eb122bfee248f5329287b49e
                                  • Instruction Fuzzy Hash: FAE0E571A0521457E6303A669C00FDA3649DB81FB0F154122EC49D60B1DB65DE00B3F1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afb4f11db437cc7f2415c55c23da6c73bf75e8de6ac15c79a24fa60df46269c3
                                  • Instruction ID: 0530d1c1c455b487edb1180fcf60df783b0179e2ce3099acccc5df2234c20429
                                  • Opcode Fuzzy Hash: afb4f11db437cc7f2415c55c23da6c73bf75e8de6ac15c79a24fa60df46269c3
                                  • Instruction Fuzzy Hash: E8F08571400702CFDB348F20D890812BBE0FF0432A324893EE6EB87620C735A848EF40
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 1b59db63729321147ad54aba72f177276e0f1bdf1fa7e8b14746159616d4aad6
                                  • Instruction ID: a1d29919c1bed9de152b86858ccb14b19fff47b55af0891ccd851d0fcb36d32b
                                  • Opcode Fuzzy Hash: 1b59db63729321147ad54aba72f177276e0f1bdf1fa7e8b14746159616d4aad6
                                  • Instruction Fuzzy Hash: 71F0E5F2B042049AD7209A749805BA2F7D4BF11324F1C890AD4D9C2181CBB954947752
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: e6e586e9dd445f0d669f0c2c12b60dc975ca3bd0777bafe764439a21d40e66e4
                                  • Instruction ID: 459643b6feb736a8ad87d06c7005661aeb0d691aff30b09e8c10ed27cb3f37f7
                                  • Opcode Fuzzy Hash: e6e586e9dd445f0d669f0c2c12b60dc975ca3bd0777bafe764439a21d40e66e4
                                  • Instruction Fuzzy Hash: F6F06572E002149BCF20DF94D840B5AB7E4BF15761F10446AE998DB240EA769C54AB91
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                  • Instruction ID: 3dee7e319524da6736be9053a272e15f152614280ddb10116d289129e2746adb
                                  • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                  • Instruction Fuzzy Hash: 62F0F87640020DFFDF05DF90C941E9E7B79FB08318F248485F9199A152D336DA21EBA1
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00F941AF,01014600,00000002), ref: 00FBD4E6
                                    • Part of subcall function 00FBD3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00FBD4D9,?,?,?), ref: 00FBD419
                                    • Part of subcall function 00FBD3F7: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00FBD4D9,?,?,?,?,00F941AF,01014600,00000002), ref: 00FBD42E
                                    • Part of subcall function 00FBD3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00FBD4D9,?,?,?,?,00F941AF,01014600,00000002), ref: 00FBD43A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: File$Pointer$Write
                                  • String ID:
                                  • API String ID: 3847668363-0
                                  • Opcode ID: a238e368fb02316a5b15b6c5b64939bebdb56321f1b97d8cd44ea050542e9203
                                  • Instruction ID: 5c405e2a3021bafa8d932af5de910ff5fd2b2468154d46100aa1e8c39411274f
                                  • Opcode Fuzzy Hash: a238e368fb02316a5b15b6c5b64939bebdb56321f1b97d8cd44ea050542e9203
                                  • Instruction Fuzzy Hash: 7BE03976900608EFD7219F4ADC408AAB7F8FF80220710852FE99682510E7B5AA04EF61
                                  APIs
                                  • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F538EA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_
                                  • String ID:
                                  • API String ID: 1144537725-0
                                  • Opcode ID: e43127d5d3784f088e922538a2a158145435217f23dea73eac35e3c5e881c5e9
                                  • Instruction ID: fa9c48ae64a5ba7daeb3e0ffe68cdea44c5bb5a91ae89f0f76853d6009932df6
                                  • Opcode Fuzzy Hash: e43127d5d3784f088e922538a2a158145435217f23dea73eac35e3c5e881c5e9
                                  • Instruction Fuzzy Hash: 8FF0A7709003089FEB72DF64DC467957BBCAB01708F1040A6E68896186D7754788CF42
                                  APIs
                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F539FD
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LongNamePath_wcslen
                                  • String ID:
                                  • API String ID: 541455249-0
                                  • Opcode ID: 5640dd6248cbf6b95bf6de2dd27f9e3bbf18c53b23e8cf32de38eea6326477fc
                                  • Instruction ID: 788c2741f4510ace344b1db1414d05b31cd7e64ac5c41ae23d0b045734864ff1
                                  • Opcode Fuzzy Hash: 5640dd6248cbf6b95bf6de2dd27f9e3bbf18c53b23e8cf32de38eea6326477fc
                                  • Instruction Fuzzy Hash: B7E0CD7250012457DB10D3589C05FDA77DDDFC8791F040071FD05D7248DD64DD809590
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 23e16f4725c499be2291804fc20bf7b23b977d4e119df3ac3e24964de8c97ac7
                                  • Instruction ID: 42038d8e0e2711f6c06c0ea6dc5171894c7b4c3d883cf5baf47a79122b3d1adf
                                  • Opcode Fuzzy Hash: 23e16f4725c499be2291804fc20bf7b23b977d4e119df3ac3e24964de8c97ac7
                                  • Instruction Fuzzy Hash: 98E08672F0115897CF21CEA49C41B6EB374BB11362F100162E948FA550CA269C55A692
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,00000000,?,00F90AA4,?,?,00000000,?,00F90AA4,00000000,0000000C), ref: 00F90757
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 05e304e2aa41afdb08b7a684b04ad276096e6f41ea3f1f0f5244bdb75dae3e9b
                                  • Instruction ID: 24375731038bc12daeca954b0d93773ae2fcfc5db22328956f5e2ef5fb001ed3
                                  • Opcode Fuzzy Hash: 05e304e2aa41afdb08b7a684b04ad276096e6f41ea3f1f0f5244bdb75dae3e9b
                                  • Instruction Fuzzy Hash: C6D06C3200014DBFDF028F84DD46EDA3BAAFB48714F014000BE1856020C736E821AB91
                                  APIs
                                    • Part of subcall function 00F56E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F53B33,?,00008000), ref: 00F56E80
                                  • GetLastError.KERNEL32(00000002,00000000), ref: 00FC8038
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateErrorFileLast
                                  • String ID:
                                  • API String ID: 1214770103-0
                                  • Opcode ID: 086407a6f3072cfd625f9ed1b1923adada7216f5f4948a367d1c7ea467e18cc2
                                  • Instruction ID: f7066f7860bc602889eb14c617097b90d57b114ca8b46df8c879c9dc189d1603
                                  • Opcode Fuzzy Hash: 086407a6f3072cfd625f9ed1b1923adada7216f5f4948a367d1c7ea467e18cc2
                                  • Instruction Fuzzy Hash: 1C8180306083029FC714EF24C992B6DB7E1AF88315F04455DFD969B292CB78AD49EF92
                                  APIs
                                  • CloseHandle.KERNELBASE(?,?,00000000,00F93A1C), ref: 00F57973
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 14f781ff525d16068b55228586b2d72e9e3a8310d373b2d27170d96dfc22ea9c
                                  • Instruction ID: e40b3ba4c7d61fd2fbb03d911fa2b67f278aa05f6618a5ed184bb7e361b44ecc
                                  • Opcode Fuzzy Hash: 14f781ff525d16068b55228586b2d72e9e3a8310d373b2d27170d96dfc22ea9c
                                  • Instruction Fuzzy Hash: D0E0B675804B22CFD3315F1AE844412FBF4FFD23723204A2ED5E582660D3B0588AEB60
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?), ref: 00FE9F79
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FE9FBA
                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FE9FFE
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FEA028
                                  • SendMessageW.USER32 ref: 00FEA051
                                  • GetKeyState.USER32(00000011), ref: 00FEA0EA
                                  • GetKeyState.USER32(00000009), ref: 00FEA0F7
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FEA10D
                                  • GetKeyState.USER32(00000010), ref: 00FEA117
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FEA148
                                  • SendMessageW.USER32 ref: 00FEA16F
                                  • SendMessageW.USER32(?,00001030,?,Function_000987F4), ref: 00FEA277
                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?), ref: 00FEA28D
                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FEA2A0
                                  • SetCapture.USER32(?), ref: 00FEA2A9
                                  • ClientToScreen.USER32(?,?), ref: 00FEA30E
                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FEA31B
                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00FEA335
                                  • ReleaseCapture.USER32 ref: 00FEA340
                                  • GetCursorPos.USER32(?), ref: 00FEA378
                                  • ScreenToClient.USER32(?,?), ref: 00FEA385
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FEA3DF
                                  • SendMessageW.USER32 ref: 00FEA40D
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FEA44A
                                  • SendMessageW.USER32 ref: 00FEA479
                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FEA49A
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FEA4A9
                                  • GetCursorPos.USER32(?), ref: 00FEA4C7
                                  • ScreenToClient.USER32(?,?), ref: 00FEA4D4
                                  • GetParent.USER32(?), ref: 00FEA4F2
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FEA559
                                  • SendMessageW.USER32 ref: 00FEA58A
                                  • ClientToScreen.USER32(?,?), ref: 00FEA5E3
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FEA613
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FEA63D
                                  • SendMessageW.USER32 ref: 00FEA660
                                  • ClientToScreen.USER32(?,?), ref: 00FEA6AD
                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FEA6E1
                                    • Part of subcall function 00F521E4: GetWindowLongW.USER32(?,000000EB), ref: 00F521F2
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FEA764
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                  • String ID: @GUI_DRAGID$F
                                  • API String ID: 3429851547-4164748364
                                  • Opcode ID: 5818f14e2a0081e0584bab42a724529b7d3bb0efec48f1b271e7c0b0fae08eac
                                  • Instruction ID: be3dd259e7d6c6a4ac544558f8d40ac9f9341d6e65bdf7eaa2b39db5fca5ae4c
                                  • Opcode Fuzzy Hash: 5818f14e2a0081e0584bab42a724529b7d3bb0efec48f1b271e7c0b0fae08eac
                                  • Instruction Fuzzy Hash: 7A42C074609284AFD725CF25CC84AAABBF4FF49364F140619F696CB2A0C771E850EF52
                                  APIs
                                  • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F6FC94
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FAFC58
                                  • IsIconic.USER32(00000000), ref: 00FAFC61
                                  • ShowWindow.USER32(00000000,00000009), ref: 00FAFC6E
                                  • SetForegroundWindow.USER32(00000000), ref: 00FAFC78
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FAFC8E
                                  • GetCurrentThreadId.KERNEL32 ref: 00FAFC95
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FAFCA1
                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FAFCB2
                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FAFCBA
                                  • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FAFCC2
                                  • SetForegroundWindow.USER32(00000000), ref: 00FAFCC5
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFCDA
                                  • keybd_event.USER32(00000012,00000000), ref: 00FAFCE5
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFCEF
                                  • keybd_event.USER32(00000012,00000000), ref: 00FAFCF4
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFCFD
                                  • keybd_event.USER32(00000012,00000000), ref: 00FAFD02
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFD0C
                                  • keybd_event.USER32(00000012,00000000), ref: 00FAFD11
                                  • SetForegroundWindow.USER32(00000000), ref: 00FAFD14
                                  • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FAFD3B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 4125248594-2988720461
                                  • Opcode ID: 6e640a0dbd9881f52c7e48b709452f20a324f126ff21cfb048d02b2d821e0638
                                  • Instruction ID: 0ddc46b5b883a8d7209f4badae3ea905df71ae418984bc75c7f3f370c73cd5cc
                                  • Opcode Fuzzy Hash: 6e640a0dbd9881f52c7e48b709452f20a324f126ff21cfb048d02b2d821e0638
                                  • Instruction Fuzzy Hash: 173172B1A4035CBBEB216BA55C8AF7F7E6CEB45B64F140065FA01EE1D1D6B05D00BAA0
                                  APIs
                                    • Part of subcall function 00FB1F53: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB1F9D
                                    • Part of subcall function 00FB1F53: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB1FCA
                                    • Part of subcall function 00FB1F53: GetLastError.KERNEL32 ref: 00FB1FDA
                                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FB1B16
                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FB1B38
                                  • CloseHandle.KERNEL32(?), ref: 00FB1B49
                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FB1B61
                                  • GetProcessWindowStation.USER32 ref: 00FB1B7A
                                  • SetProcessWindowStation.USER32(00000000), ref: 00FB1B84
                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FB1BA0
                                    • Part of subcall function 00FB194F: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FB1A8C), ref: 00FB1964
                                    • Part of subcall function 00FB194F: CloseHandle.KERNEL32(?,?,00FB1A8C), ref: 00FB1979
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                  • String ID: $default$winsta0
                                  • API String ID: 22674027-1027155976
                                  • Opcode ID: 44c9fbc62a878c267c30aad535bc6d0c31cd315439b9f6b237d8ffc6ae6bf5d8
                                  • Instruction ID: 2dc79f0a0881508adfea8397769362963978ad77ae30a2821bbf9488a0c94281
                                  • Opcode Fuzzy Hash: 44c9fbc62a878c267c30aad535bc6d0c31cd315439b9f6b237d8ffc6ae6bf5d8
                                  • Instruction Fuzzy Hash: 2D819AB1A0024DAFDF219FA6DC59BEE7BB9FF08310F144029F914AA1A0D7758955EF20
                                  APIs
                                    • Part of subcall function 00FB1989: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB19A4
                                    • Part of subcall function 00FB1989: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19B0
                                    • Part of subcall function 00FB1989: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19BF
                                    • Part of subcall function 00FB1989: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19C6
                                    • Part of subcall function 00FB1989: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB19DD
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FB145C
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FB1490
                                  • GetLengthSid.ADVAPI32(?), ref: 00FB14A7
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00FB14E1
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FB14FD
                                  • GetLengthSid.ADVAPI32(?), ref: 00FB1514
                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FB151C
                                  • HeapAlloc.KERNEL32(00000000), ref: 00FB1523
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FB1544
                                  • CopySid.ADVAPI32(00000000), ref: 00FB154B
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FB157A
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FB159C
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FB15AE
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB15D5
                                  • HeapFree.KERNEL32(00000000), ref: 00FB15DC
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB15E5
                                  • HeapFree.KERNEL32(00000000), ref: 00FB15EC
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB15F5
                                  • HeapFree.KERNEL32(00000000), ref: 00FB15FC
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB1608
                                  • HeapFree.KERNEL32(00000000), ref: 00FB160F
                                    • Part of subcall function 00FB1A23: GetProcessHeap.KERNEL32(00000008,00FB1441,?,00000000,?,00FB1441,?), ref: 00FB1A31
                                    • Part of subcall function 00FB1A23: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FB1441,?), ref: 00FB1A38
                                    • Part of subcall function 00FB1A23: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FB1441,?), ref: 00FB1A47
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                  • String ID:
                                  • API String ID: 4175595110-0
                                  • Opcode ID: 0a9c00b763a0b61e6f97432ffdcade75bf178d083ee5df9be9658f549a252bf0
                                  • Instruction ID: 88943ba57f04ae0ae40e1f92e0bf40c65b04dad6980e09aae3c10201ce5eda30
                                  • Opcode Fuzzy Hash: 0a9c00b763a0b61e6f97432ffdcade75bf178d083ee5df9be9658f549a252bf0
                                  • Instruction Fuzzy Hash: A97159B2900209EFDF20DFA6DC84FEEBBB9BF44310F484125E915AA591D7359A05EF60
                                  APIs
                                  • OpenClipboard.USER32(00FEDCD0), ref: 00FCF486
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00FCF494
                                  • GetClipboardData.USER32(0000000D), ref: 00FCF4A0
                                  • CloseClipboard.USER32 ref: 00FCF4AC
                                  • GlobalLock.KERNEL32(00000000), ref: 00FCF4E4
                                  • CloseClipboard.USER32 ref: 00FCF4EE
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00FCF519
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00FCF526
                                  • GetClipboardData.USER32(00000001), ref: 00FCF52E
                                  • GlobalLock.KERNEL32(00000000), ref: 00FCF53F
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00FCF57F
                                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 00FCF595
                                  • GetClipboardData.USER32(0000000F), ref: 00FCF5A1
                                  • GlobalLock.KERNEL32(00000000), ref: 00FCF5B2
                                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FCF5D4
                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FCF5F1
                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FCF62F
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00FCF650
                                  • CountClipboardFormats.USER32 ref: 00FCF671
                                  • CloseClipboard.USER32 ref: 00FCF6B6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                  • String ID:
                                  • API String ID: 420908878-0
                                  • Opcode ID: 3c782a84672ba6b3cad507fb4ab63bbd05cb6ff8eca52cb1917fc6c796440e31
                                  • Instruction ID: 275c599984eae8d93d11d99b932b6421d141b7232c68a0ba93e101d7b144f00c
                                  • Opcode Fuzzy Hash: 3c782a84672ba6b3cad507fb4ab63bbd05cb6ff8eca52cb1917fc6c796440e31
                                  • Instruction Fuzzy Hash: 3161D0312043469FC314EF20DD89F2ABBA5AF84714F14446DF956CB2A2DB35ED09EB62
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00FC7318
                                  • FindClose.KERNEL32(00000000), ref: 00FC736C
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FC73A8
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FC73CF
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FC740C
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FC7439
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                  • API String ID: 3830820486-3289030164
                                  • Opcode ID: c95ed6f85199adac8459bf35bf367738183ad7fb96c32fe92921366444b2a6b8
                                  • Instruction ID: efe0d1b06197e904dde4fda7575b75050eec213e7606d1efef9f38f783cac5dd
                                  • Opcode Fuzzy Hash: c95ed6f85199adac8459bf35bf367738183ad7fb96c32fe92921366444b2a6b8
                                  • Instruction Fuzzy Hash: 6ED150725083449FC314EF64CC82EAFB7ECAF98705F04091DFA8596191EB78DA48DB62
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FC469A
                                  • _wcslen.LIBCMT ref: 00FC46C7
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FC46F7
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FC4718
                                  • RemoveDirectoryW.KERNEL32(?), ref: 00FC4728
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FC47AF
                                  • CloseHandle.KERNEL32(00000000), ref: 00FC47BA
                                  • CloseHandle.KERNEL32(00000000), ref: 00FC47C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                  • String ID: :$\$\??\%s
                                  • API String ID: 1149970189-3457252023
                                  • Opcode ID: 5b109ed89411a98540d33195e0fbf04ceca1fea180328ffe94260c1a63e5a4f3
                                  • Instruction ID: c3fde1f74fab7c3aa68a2dfb1bf9f8bdecfd1b82dc2e73d4e84d65a87cee3473
                                  • Opcode Fuzzy Hash: 5b109ed89411a98540d33195e0fbf04ceca1fea180328ffe94260c1a63e5a4f3
                                  • Instruction Fuzzy Hash: FE31C67190024AABDB21DFA0DD85FEB37BCEF89750F1041BAF619D6060E7749644AB24
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FCA11B
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00FCA176
                                  • FindClose.KERNEL32(00000000), ref: 00FCA181
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00FCA19D
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FCA1ED
                                  • SetCurrentDirectoryW.KERNEL32(01017B94), ref: 00FCA20B
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FCA215
                                  • FindClose.KERNEL32(00000000), ref: 00FCA222
                                  • FindClose.KERNEL32(00000000), ref: 00FCA232
                                    • Part of subcall function 00FBE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FBE2C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 2640511053-438819550
                                  • Opcode ID: caef58521b6c8d625ee48281d25d70099325a6894073110c8b887b2d70752baf
                                  • Instruction ID: f9fa2d51e83e1c9712f7dcfd4870c4d13cdbc93a241f6ee50551e5b127074e71
                                  • Opcode Fuzzy Hash: caef58521b6c8d625ee48281d25d70099325a6894073110c8b887b2d70752baf
                                  • Instruction Fuzzy Hash: AC31487290021E6ECB10AFA4DC4AFDE33AC9F05338F144199E910E7090DB75EE44EA52
                                  APIs
                                    • Part of subcall function 00FDD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC00D,?,?), ref: 00FDD314
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD350
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD3C7
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD3FD
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC89D
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FDC908
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00FDC92C
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FDC98B
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FDCA46
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FDCAB3
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FDCB48
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FDCB99
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FDCC42
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FDCCE1
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00FDCCEE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                  • String ID:
                                  • API String ID: 3102970594-0
                                  • Opcode ID: 03a4b296c74db7e6ac3f03d42c11b0c3352d603e259e3d597706bcf7656aa5af
                                  • Instruction ID: 23e7b5daaf291d9369d8bcacf19b3ec1d1ae7a1adc5cf93aed46f62841d561c3
                                  • Opcode Fuzzy Hash: 03a4b296c74db7e6ac3f03d42c11b0c3352d603e259e3d597706bcf7656aa5af
                                  • Instruction Fuzzy Hash: E3027E716042419FC714DF24C895E2ABBE5EF88314F18849EF94ACB3A2CB35ED46DB91
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00FBA572
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00FBA5F3
                                  • GetKeyState.USER32(000000A0), ref: 00FBA60E
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00FBA628
                                  • GetKeyState.USER32(000000A1), ref: 00FBA63D
                                  • GetAsyncKeyState.USER32(00000011), ref: 00FBA655
                                  • GetKeyState.USER32(00000011), ref: 00FBA667
                                  • GetAsyncKeyState.USER32(00000012), ref: 00FBA67F
                                  • GetKeyState.USER32(00000012), ref: 00FBA691
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00FBA6A9
                                  • GetKeyState.USER32(0000005B), ref: 00FBA6BB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: cd03889f58f98bf119cd8c9348277a93566e24aecef1baa3110f3e17c7c8e758
                                  • Instruction ID: 37af0aec05def4f86ca6f61bf0053919ac5d9ad368a513a68fc2a54289065545
                                  • Opcode Fuzzy Hash: cd03889f58f98bf119cd8c9348277a93566e24aecef1baa3110f3e17c7c8e758
                                  • Instruction Fuzzy Hash: 2641A3A4E047C96AFF319B61C8143E5BFA26F11364F0C8059D5C64A5C2EB949EC4AF63
                                  APIs
                                    • Part of subcall function 00F5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F55558,?,?,00F94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F5559E
                                    • Part of subcall function 00FBE9C5: GetFileAttributesW.KERNEL32(?,00FBD755), ref: 00FBE9C6
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00FBD8E2
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FBD99D
                                  • MoveFileW.KERNEL32(?,?), ref: 00FBD9B0
                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00FBD9CD
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FBD9F7
                                    • Part of subcall function 00FBDA5C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FBD9DC,?,?), ref: 00FBDA72
                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 00FBDA13
                                  • FindClose.KERNEL32(00000000), ref: 00FBDA24
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                  • String ID: \*.*
                                  • API String ID: 1946585618-1173974218
                                  • Opcode ID: e83f2dacc8fd681752dd547d5b19ba6365e131c76312c874fc158cb93c37efee
                                  • Instruction ID: 45614ba6c5fa1322549a69bf197c43465b483c1ceac15619fcde100e4cc6f007
                                  • Opcode Fuzzy Hash: e83f2dacc8fd681752dd547d5b19ba6365e131c76312c874fc158cb93c37efee
                                  • Instruction Fuzzy Hash: 4D615A31C0114DAACF05EBA1DE929EDB7B9AF15301F244065E902B71A2EB395F0DEF51
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                  • String ID:
                                  • API String ID: 1737998785-0
                                  • Opcode ID: 5e9d4edbf5c8404fef9d222c983486d0b8f6fb7e6caeebf9e4544599487e607f
                                  • Instruction ID: b48e2833a1f147941649411ac5e31dde8bbbb34fee8f742049d3fc85ea20ef71
                                  • Opcode Fuzzy Hash: 5e9d4edbf5c8404fef9d222c983486d0b8f6fb7e6caeebf9e4544599487e607f
                                  • Instruction Fuzzy Hash: FB41DD35604602AFD720CF14D889F15BBE1EF44368F14C0ADE8198FAA2C735ED46EB91
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FB1CD9,?,?,00000000), ref: 00FB209C
                                  • HeapAlloc.KERNEL32(00000000,?,00FB1CD9,?,?,00000000), ref: 00FB20A3
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FB1CD9,?,?,00000000), ref: 00FB20B8
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00FB1CD9,?,?,00000000), ref: 00FB20C0
                                  • DuplicateHandle.KERNEL32(00000000,?,00FB1CD9,?,?,00000000), ref: 00FB20C3
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FB1CD9,?,?,00000000), ref: 00FB20D3
                                  • GetCurrentProcess.KERNEL32(00FB1CD9,00000000,?,00FB1CD9,?,?,00000000), ref: 00FB20DB
                                  • DuplicateHandle.KERNEL32(00000000,?,00FB1CD9,?,?,00000000), ref: 00FB20DE
                                  • CreateThread.KERNEL32(00000000,00000000,00FB2104,00000000,00000000,00000000), ref: 00FB20F8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                  • String ID:
                                  • API String ID: 1957940570-0
                                  • Opcode ID: ab4b065bfd1a930e51d647f9ec1976cd5d3123a0ab539d81d10c91ebadcd1b27
                                  • Instruction ID: 7472edc322bd9e93d898da09c2de25c23ef412cabd2fbee58b977d525d7d1fe0
                                  • Opcode Fuzzy Hash: ab4b065bfd1a930e51d647f9ec1976cd5d3123a0ab539d81d10c91ebadcd1b27
                                  • Instruction Fuzzy Hash: 0F01B6B5240348BFF710ABA5DC8EF6B3BACEB89711F004411FA15DF6A1CA749800DB21
                                  APIs
                                    • Part of subcall function 00FB1F53: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB1F9D
                                    • Part of subcall function 00FB1F53: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB1FCA
                                    • Part of subcall function 00FB1F53: GetLastError.KERNEL32 ref: 00FB1FDA
                                  • ExitWindowsEx.USER32(?,00000000), ref: 00FBF15E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                  • String ID: $ $@$SeShutdownPrivilege
                                  • API String ID: 2234035333-3163812486
                                  • Opcode ID: 0e868131a96c09b63e055275db793c9475ce712aec1327514df3cdec8f2d3e4c
                                  • Instruction ID: 909761cae5cfeb3ce7c54b2606281d304246278b4465dc3f369a5aaf64e13316
                                  • Opcode Fuzzy Hash: 0e868131a96c09b63e055275db793c9475ce712aec1327514df3cdec8f2d3e4c
                                  • Instruction Fuzzy Hash: 7D01D672A10314ABE72426BEDC85BFF726CAB08354F554C31F902E60D1D6644D08B9A0
                                  APIs
                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FD1BD3
                                  • WSAGetLastError.WSOCK32 ref: 00FD1BE0
                                  • bind.WSOCK32(00000000,?,00000010), ref: 00FD1C17
                                  • WSAGetLastError.WSOCK32 ref: 00FD1C22
                                  • closesocket.WSOCK32(00000000), ref: 00FD1C51
                                  • listen.WSOCK32(00000000,00000005), ref: 00FD1C60
                                  • WSAGetLastError.WSOCK32 ref: 00FD1C6A
                                  • closesocket.WSOCK32(00000000), ref: 00FD1C99
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                  • String ID:
                                  • API String ID: 540024437-0
                                  • Opcode ID: 07059375aa26a579f10bc9ea78d7c6bc417fac31106c2aaa7cbf1b20e6d997a8
                                  • Instruction ID: a7488cf3281fbcacc61a0805b12828bcbb661a91908bf1559a0017e452f4bca8
                                  • Opcode Fuzzy Hash: 07059375aa26a579f10bc9ea78d7c6bc417fac31106c2aaa7cbf1b20e6d997a8
                                  • Instruction Fuzzy Hash: 30418431A00140AFD710DF24C5C4B65BBE6BF85328F18819AD8569F392C775ED85DBE1
                                  APIs
                                  • _free.LIBCMT ref: 00F8BD74
                                  • _free.LIBCMT ref: 00F8BD98
                                  • _free.LIBCMT ref: 00F8BF1F
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FF46D0), ref: 00F8BF31
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0102221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F8BFA9
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,01022270,000000FF,?,0000003F,00000000,?), ref: 00F8BFD6
                                  • _free.LIBCMT ref: 00F8C0EB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: 55596a2bb9edcadaf3b7610b65c97b13aa6c091d4009c37599ddf2e2d265469f
                                  • Instruction ID: fb9f607788ac133ae9acd4fef72e99a9859469bfc90c0faa76c95a355067174e
                                  • Opcode Fuzzy Hash: 55596a2bb9edcadaf3b7610b65c97b13aa6c091d4009c37599ddf2e2d265469f
                                  • Instruction Fuzzy Hash: 74C12872D00249AFDB20BF688C41BEE7BB9EF42360F24419AE594D7251E7359E41EB90
                                  APIs
                                    • Part of subcall function 00F5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F55558,?,?,00F94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F5559E
                                    • Part of subcall function 00FBE9C5: GetFileAttributesW.KERNEL32(?,00FBD755), ref: 00FBE9C6
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00FBDBE0
                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00FBDC30
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FBDC41
                                  • FindClose.KERNEL32(00000000), ref: 00FBDC58
                                  • FindClose.KERNEL32(00000000), ref: 00FBDC61
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                  • String ID: \*.*
                                  • API String ID: 2649000838-1173974218
                                  • Opcode ID: 4e3f4aca02f43a82a5aa26910feeb9fa7071a825b7f708b4662c34b608151603
                                  • Instruction ID: ae33b7c8c832562d988d93065798719e9d97116aff80d27734e02dd1ba4fe55c
                                  • Opcode Fuzzy Hash: 4e3f4aca02f43a82a5aa26910feeb9fa7071a825b7f708b4662c34b608151603
                                  • Instruction Fuzzy Hash: 79316D314083899BC301EB64DC919EFBBE8BE91315F44492DF9D1871A1EB64DA0DEB93
                                  APIs
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F9552E,?,?,00000000,00000000), ref: 00FC3933
                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F9552E,?,?,00000000,00000000), ref: 00FC394A
                                  • LoadResource.KERNEL32(?,00000000,?,?,00F9552E,?,?,00000000,00000000,?,?,?,?,?,?,00F563C2), ref: 00FC395A
                                  • SizeofResource.KERNEL32(?,00000000,?,?,00F9552E,?,?,00000000,00000000,?,?,?,?,?,?,00F563C2), ref: 00FC396B
                                  • LockResource.KERNEL32(00F9552E,?,?,00F9552E,?,?,00000000,00000000,?,?,?,?,?,?,00F563C2,?), ref: 00FC397A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                  • String ID: SCRIPT
                                  • API String ID: 3051347437-3967369404
                                  • Opcode ID: 8cb1554af02ae583fa42301de52a83bb9ba0dbff3867ac23c1af2eecba59c1cf
                                  • Instruction ID: f75ed33e2b19abca44f5d98a7181b8724792ab31edffb1739d99148552131de0
                                  • Opcode Fuzzy Hash: 8cb1554af02ae583fa42301de52a83bb9ba0dbff3867ac23c1af2eecba59c1cf
                                  • Instruction Fuzzy Hash: 0B11CE70601306BFD7208B26DD89F277BBAEBC5B50F10826CB542DA550DBB1DD00A621
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FCA4D5
                                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FCA5E8
                                    • Part of subcall function 00FC41CE: GetInputState.USER32 ref: 00FC4225
                                    • Part of subcall function 00FC41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC42C0
                                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FCA505
                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FCA5D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                  • String ID: *.*
                                  • API String ID: 1972594611-438819550
                                  • Opcode ID: 2c9cbe3d2da06b21f40de089b72b84ef6f31b88acd6c9147d067aedb797274cc
                                  • Instruction ID: 25a9442894dd5f44f88bb3a29c163ab3a497b9635bc22408de90322edfc53fc9
                                  • Opcode Fuzzy Hash: 2c9cbe3d2da06b21f40de089b72b84ef6f31b88acd6c9147d067aedb797274cc
                                  • Instruction Fuzzy Hash: 5041917190020E9FCF15DF64CD4AFEEBBB4EF05314F28845AE905A6191E734AE44EB51
                                  APIs
                                  • DefDlgProcW.USER32(?,?), ref: 00F522EE
                                  • GetSysColor.USER32(0000000F), ref: 00F523C3
                                  • SetBkColor.GDI32(?,00000000), ref: 00F523D6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Color$Proc
                                  • String ID:
                                  • API String ID: 929743424-0
                                  • Opcode ID: fd0ead888068502602013f87771a96eb0c7b98b88a12e553f00af313d3e90d45
                                  • Instruction ID: 5bd0e500360f8c4116620cc81b7c7f17124982b423047e20f968dd9d649f8aee
                                  • Opcode Fuzzy Hash: fd0ead888068502602013f87771a96eb0c7b98b88a12e553f00af313d3e90d45
                                  • Instruction Fuzzy Hash: 738116B2608054BAFA786A7D8C99F7F254DDB43322F180309FB42C5995CA5D9F09F272
                                  APIs
                                    • Part of subcall function 00FD39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FD39D7
                                    • Part of subcall function 00FD39AB: _wcslen.LIBCMT ref: 00FD39F8
                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FD21BA
                                  • WSAGetLastError.WSOCK32 ref: 00FD21E1
                                  • bind.WSOCK32(00000000,?,00000010), ref: 00FD2238
                                  • WSAGetLastError.WSOCK32 ref: 00FD2243
                                  • closesocket.WSOCK32(00000000), ref: 00FD2272
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                  • String ID:
                                  • API String ID: 1601658205-0
                                  • Opcode ID: 4ffc08ad0999859f9bb184509b966f0242d178655a70582236d7d9b4bfbbcb4d
                                  • Instruction ID: 6f4997d93b0788ef888e2021cab9f18da929dadad149a790c066c07943ddf49f
                                  • Opcode Fuzzy Hash: 4ffc08ad0999859f9bb184509b966f0242d178655a70582236d7d9b4bfbbcb4d
                                  • Instruction Fuzzy Hash: E751C471A002009FE710AF64CC86F6A77E5AB45754F088089FA15AF3D3C675AD42ABE1
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 1456b23f99a6ef48aa82cb9ae403d28bc28e3d4d84d016f8452750c2c9e4491d
                                  • Instruction ID: 5ec66ad0565bfe7dcd623ad204f8af8e195bbcb5f4dfab081fd1c4e18fe39907
                                  • Opcode Fuzzy Hash: 1456b23f99a6ef48aa82cb9ae403d28bc28e3d4d84d016f8452750c2c9e4491d
                                  • Instruction Fuzzy Hash: B921E5317002848FD7508F17CD94B167B99FF94324F1C8469E84ACB251EB75ED42EB90
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00FDB00B
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00FDB019
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • Process32NextW.KERNEL32(00000000,?), ref: 00FDB0FB
                                  • CloseHandle.KERNEL32(00000000), ref: 00FDB10A
                                    • Part of subcall function 00F6E2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F94D4D,?), ref: 00F6E30F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                  • String ID:
                                  • API String ID: 1991900642-0
                                  • Opcode ID: 6305801301afd875b582aeacdbcb769a697374cbedd089c7a7786a84e612ee94
                                  • Instruction ID: d96eaec8c880f92e4b0d0c12574aff73b56c84c112925743615404475c650ca0
                                  • Opcode Fuzzy Hash: 6305801301afd875b582aeacdbcb769a697374cbedd089c7a7786a84e612ee94
                                  • Instruction Fuzzy Hash: A65139715083409FD310EF24CC86A6BBBE8FF88754F44492DF99597291EB74D904DB92
                                  APIs
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00FCD7E6
                                  • GetLastError.KERNEL32(?,00000000), ref: 00FCD847
                                  • SetEvent.KERNEL32(?,?,00000000), ref: 00FCD85B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorEventFileInternetLastRead
                                  • String ID:
                                  • API String ID: 234945975-0
                                  • Opcode ID: d55ffa2bb253ef2e5d85e4ef2f968742180bd7d15ac20003644351ffe5a48a06
                                  • Instruction ID: d30fff9a666976f661e6e9a245af798206a5ff47b2b881af22dfc4008cb62381
                                  • Opcode Fuzzy Hash: d55ffa2bb253ef2e5d85e4ef2f968742180bd7d15ac20003644351ffe5a48a06
                                  • Instruction Fuzzy Hash: F421A1719007069FEB209FA5DA86F9B77FCEF40324F10442EE24596591D774EA05EBA0
                                  APIs
                                  • lstrlenW.KERNEL32(?,00F94686), ref: 00FBE397
                                  • GetFileAttributesW.KERNEL32(?), ref: 00FBE3A6
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00FBE3B7
                                  • FindClose.KERNEL32(00000000), ref: 00FBE3C3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirstlstrlen
                                  • String ID:
                                  • API String ID: 2695905019-0
                                  • Opcode ID: 324c435c7d224a3d50cee5fc9d4d400975b94093fe64d85543cce9245ff1ba26
                                  • Instruction ID: 239d7c39ea7e678a4348b2de4866a99ab199befbc7c465a7faaed53d0a65665a
                                  • Opcode Fuzzy Hash: 324c435c7d224a3d50cee5fc9d4d400975b94093fe64d85543cce9245ff1ba26
                                  • Instruction Fuzzy Hash: 22F05530801A146BC210273CAC8D8EA3BEE9E41334B044700F831C35F0D7B0DC916A81
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: %.3d$X64
                                  • API String ID: 481472006-1077770165
                                  • Opcode ID: c04422227715dd282b819200a06146a54fe9cea14a513a02a2ec764777db7911
                                  • Instruction ID: a84ccf823eb1c42da61821148268b07e65cd39734fa7ae6dd789fd4bd2106181
                                  • Opcode Fuzzy Hash: c04422227715dd282b819200a06146a54fe9cea14a513a02a2ec764777db7911
                                  • Instruction Fuzzy Hash: D4D012E7C1401CD9CB909A90DC48ABD737CAB19300F148852F506D1000EA389508B721
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00F82AAA
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00F82AB4
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00F82AC1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 6b77f5aecd19d8a25422a7d1216c3a929f750104842dcc8b13fe232120d105b9
                                  • Instruction ID: 88454a9bad5b2289ae9d81bb011918fd63331d1582c390f1615c419944d9ae49
                                  • Opcode Fuzzy Hash: 6b77f5aecd19d8a25422a7d1216c3a929f750104842dcc8b13fe232120d105b9
                                  • Instruction Fuzzy Hash: E631B27590121CABCB61DF68DD897D9BBB8EF08310F5081EAE80CA6251EB349F819F45
                                  APIs
                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FB1F1C
                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FB1F31
                                  • FreeSid.ADVAPI32(?), ref: 00FB1F41
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                  • String ID:
                                  • API String ID: 3429775523-0
                                  • Opcode ID: dec8c298d498c23e092064c208d32dea95d666edf364538d737a16832ee864ea
                                  • Instruction ID: 154b7078b798a094b42978eca390111b3d5d9e19dd98812f6539c545601039b7
                                  • Opcode Fuzzy Hash: dec8c298d498c23e092064c208d32dea95d666edf364538d737a16832ee864ea
                                  • Instruction Fuzzy Hash: 92F0F47195030DBBDB00DBE49C89AAEBBBCFB04200F5044A5AA01E6181E774AA449A10
                                  APIs
                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FBEC19
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: mouse_event
                                  • String ID: DOWN
                                  • API String ID: 2434400541-711622031
                                  • Opcode ID: 44431ae733921aa42c9ea2a57dff59c3fddbe288c44ee5de7ca8d4d08243014c
                                  • Instruction ID: bfa2d1627ec35f60528b4fe096bd82a22a2399a1ad680b6c4fecfdfcf91d5b9a
                                  • Opcode Fuzzy Hash: 44431ae733921aa42c9ea2a57dff59c3fddbe288c44ee5de7ca8d4d08243014c
                                  • Instruction Fuzzy Hash: 4BE0866619D72238B91421197C02DF6138C9F16234751814BF840E85C4EE486C81B4A9
                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00FAE60A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: NameUser
                                  • String ID: X64
                                  • API String ID: 2645101109-893830106
                                  • Opcode ID: f551dd5de707220e9015a50ef966492a84f2aa24fe232fef990b2e619b290757
                                  • Instruction ID: d52a96f01964e508bf0f9de313f7775a2d52d9e1bce53f3d8b3e13d8b4c731bf
                                  • Opcode Fuzzy Hash: f551dd5de707220e9015a50ef966492a84f2aa24fe232fef990b2e619b290757
                                  • Instruction Fuzzy Hash: 2BD0C9FA81511DEACB90CBA0DCC8EDD737CBB14304F104551F106A2140DB309548AB10
                                  APIs
                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FD51EE,?,?,00000035,?), ref: 00FC413E
                                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FD51EE,?,?,00000035,?), ref: 00FC414E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID:
                                  • API String ID: 3479602957-0
                                  • Opcode ID: e8f516d50f22864cc7f1ce0caac1b4509dff11b2019c3f881fa923f1ed046a72
                                  • Instruction ID: 8d1692cae94a1f7438252fa31d9ce6c8b02e22aad4cbf0696936c7d87b6885d3
                                  • Opcode Fuzzy Hash: e8f516d50f22864cc7f1ce0caac1b4509dff11b2019c3f881fa923f1ed046a72
                                  • Instruction Fuzzy Hash: 89F0E5356042292AEB2127659C4EFEB766EEFC4762F000165B519D7181D9609944E6B0
                                  APIs
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FBBB39
                                  • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00FBBB4C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: InputSendkeybd_event
                                  • String ID:
                                  • API String ID: 3536248340-0
                                  • Opcode ID: 72476bfb4dfc4dc9928a5559382607506a246ca0fa5032cf89332dc0a2384b8c
                                  • Instruction ID: 75c6d4456ddd5aaedcc4ad8938c2d50cdf94442e440c1ba709da825ceed8d91d
                                  • Opcode Fuzzy Hash: 72476bfb4dfc4dc9928a5559382607506a246ca0fa5032cf89332dc0a2384b8c
                                  • Instruction Fuzzy Hash: B9F01D7180428DABDB059FA5C806BEEBFB4FF04319F048019F955AA192D3798611EF95
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 00FCF41A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: f35a99d7dfb4ef1c62f060c697a61fc9fed1af03a66f110f1cb7652efebe68ab
                                  • Instruction ID: ed18239a4ff0007bafd69d7ac70b146e57f3b98dbebd027fe032fad71b581695
                                  • Opcode Fuzzy Hash: f35a99d7dfb4ef1c62f060c697a61fc9fed1af03a66f110f1cb7652efebe68ab
                                  • Instruction Fuzzy Hash: 89E0DF322002059FD304EF69D801E8BFBE8AFA4361F00C02AFD4ACB311CA74E804DBA0
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00020D71,00F7077E), ref: 00F70D6A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: eda15ff3fed1a62a54306b8e39e9349e668ff075680fbb08e76e775c00d717a9
                                  • Instruction ID: 6ec3dd29d163af45189566de1219c88bbc087c8035fd1556fa302392439d39d2
                                  • Opcode Fuzzy Hash: eda15ff3fed1a62a54306b8e39e9349e668ff075680fbb08e76e775c00d717a9
                                  • Instruction Fuzzy Hash:
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 00FD348D
                                  • DeleteObject.GDI32(00000000), ref: 00FD34A0
                                  • DestroyWindow.USER32 ref: 00FD34AF
                                  • GetDesktopWindow.USER32 ref: 00FD34CA
                                  • GetWindowRect.USER32(00000000), ref: 00FD34D1
                                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FD3600
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FD360E
                                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3655
                                  • GetClientRect.USER32(00000000,?), ref: 00FD3661
                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FD369D
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD36BF
                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD36D2
                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD36DD
                                  • GlobalLock.KERNEL32(00000000), ref: 00FD36E6
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD36F5
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00FD36FE
                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3705
                                  • GlobalFree.KERNEL32(00000000), ref: 00FD3710
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3722
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FF0C04,00000000), ref: 00FD3738
                                  • GlobalFree.KERNEL32(00000000), ref: 00FD3748
                                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FD376E
                                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FD378D
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD37AF
                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD399C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                  • String ID: $AutoIt v3$DISPLAY$static
                                  • API String ID: 2211948467-2373415609
                                  • Opcode ID: a0c77c0c4ee9127c17cf6ea7afb4050e088cd42bc8a370f488021e595c4bb898
                                  • Instruction ID: f7799cfeb56b8aecbda6bfb93d58e6d470144b9cdb6da1f1076b00526c14f971
                                  • Opcode Fuzzy Hash: a0c77c0c4ee9127c17cf6ea7afb4050e088cd42bc8a370f488021e595c4bb898
                                  • Instruction Fuzzy Hash: 1C027071900209AFDB14DF64CD89EAE7BBAFF48310F148119FA15AB290CB75ED01EB61
                                  APIs
                                  • SetTextColor.GDI32(?,00000000), ref: 00FE7A8E
                                  • GetSysColorBrush.USER32(0000000F), ref: 00FE7ABF
                                  • GetSysColor.USER32(0000000F), ref: 00FE7ACB
                                  • SetBkColor.GDI32(?,000000FF), ref: 00FE7AE5
                                  • SelectObject.GDI32(?,?), ref: 00FE7AF4
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FE7B1F
                                  • GetSysColor.USER32(00000010), ref: 00FE7B27
                                  • CreateSolidBrush.GDI32(00000000), ref: 00FE7B2E
                                  • FrameRect.USER32(?,?,00000000), ref: 00FE7B3D
                                  • DeleteObject.GDI32(00000000), ref: 00FE7B44
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00FE7B8F
                                  • FillRect.USER32(?,?,?), ref: 00FE7BC1
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE7BE3
                                    • Part of subcall function 00FE7D47: GetSysColor.USER32(00000012), ref: 00FE7D80
                                    • Part of subcall function 00FE7D47: SetTextColor.GDI32(?,00FE7A54), ref: 00FE7D84
                                    • Part of subcall function 00FE7D47: GetSysColorBrush.USER32(0000000F), ref: 00FE7D9A
                                    • Part of subcall function 00FE7D47: GetSysColor.USER32(0000000F), ref: 00FE7DA5
                                    • Part of subcall function 00FE7D47: GetSysColor.USER32(00000011), ref: 00FE7DC2
                                    • Part of subcall function 00FE7D47: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FE7DD0
                                    • Part of subcall function 00FE7D47: SelectObject.GDI32(?,00000000), ref: 00FE7DE1
                                    • Part of subcall function 00FE7D47: SetBkColor.GDI32(?,?), ref: 00FE7DEA
                                    • Part of subcall function 00FE7D47: SelectObject.GDI32(?,?), ref: 00FE7DF7
                                    • Part of subcall function 00FE7D47: InflateRect.USER32(?,000000FF,000000FF), ref: 00FE7E16
                                    • Part of subcall function 00FE7D47: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FE7E2D
                                    • Part of subcall function 00FE7D47: GetWindowLongW.USER32(?,000000F0), ref: 00FE7E3A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                  • String ID:
                                  • API String ID: 4124339563-0
                                  • Opcode ID: 8daff9afa41d6c53dcfed41b5e77a7bd150352ba5fdfcc8fd86d9a4ccb3df1bf
                                  • Instruction ID: 227506d2d6ad93642db8ae505f862a4114b817dd2baa3bcedd8bca345d8a7ced
                                  • Opcode Fuzzy Hash: 8daff9afa41d6c53dcfed41b5e77a7bd150352ba5fdfcc8fd86d9a4ccb3df1bf
                                  • Instruction Fuzzy Hash: 1EA1A172408385BFD710AF64DC88E6BBBA9FF88330F140A19F6629A1E0D775D944EB51
                                  APIs
                                  • DestroyWindow.USER32(?,?), ref: 00F516B4
                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F92B26
                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F92B5F
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F92FA4
                                    • Part of subcall function 00F51802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F51488,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F51865
                                  • SendMessageW.USER32(?,00001053), ref: 00F92FE0
                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F92FF7
                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F9300D
                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F93018
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                  • String ID: 0
                                  • API String ID: 2760611726-4108050209
                                  • Opcode ID: 9964eaa6563fbe421edd89c1636df0469e0c2d3607824368921422e0bd45ce18
                                  • Instruction ID: 5d812dd8a7d7b5d76f9a8aa30661b6e902048bd92ecc83cce2d545c691f555a3
                                  • Opcode Fuzzy Hash: 9964eaa6563fbe421edd89c1636df0469e0c2d3607824368921422e0bd45ce18
                                  • Instruction Fuzzy Hash: 0912E030A00201EFEB75DF14C884BA9BBE1FB45325F184569F9958B661C732EC85EF51
                                  APIs
                                  • DestroyWindow.USER32(00000000), ref: 00FD309B
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FD31C7
                                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FD3206
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FD3216
                                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FD325D
                                  • GetClientRect.USER32(00000000,?), ref: 00FD3269
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FD32B2
                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FD32C1
                                  • GetStockObject.GDI32(00000011), ref: 00FD32D1
                                  • SelectObject.GDI32(00000000,00000000), ref: 00FD32D5
                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FD32E5
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD32EE
                                  • DeleteDC.GDI32(00000000), ref: 00FD32F7
                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FD3323
                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00FD333A
                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FD337A
                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FD338E
                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00FD339F
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FD33D4
                                  • GetStockObject.GDI32(00000011), ref: 00FD33DF
                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FD33EA
                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FD33F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                  • API String ID: 2910397461-517079104
                                  • Opcode ID: 37ce20d71d706230098f5b750dce513a9c14ad9b7bcb05c9c719ac5bfd12cfe1
                                  • Instruction ID: 3905aa07e818c5e44c0b580018da4e51849bf267014884c75e50525d039db8ff
                                  • Opcode Fuzzy Hash: 37ce20d71d706230098f5b750dce513a9c14ad9b7bcb05c9c719ac5bfd12cfe1
                                  • Instruction Fuzzy Hash: E2B153B1A00219AFEB24DFA8DC85FAEBBB9EB44710F148115FA15EB290D774ED40DB50
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 00FC5447
                                  • GetDriveTypeW.KERNEL32(?,00FEDC30,?,\\.\,00FEDCD0), ref: 00FC5524
                                  • SetErrorMode.KERNEL32(00000000,00FEDC30,?,\\.\,00FEDCD0), ref: 00FC5690
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                  • API String ID: 2907320926-4222207086
                                  • Opcode ID: 1f8ecc5f1b950467ccaa959e694e7131de6b1743d5fcb3673c0431bb2f137ad2
                                  • Instruction ID: 6ba2d23e3cf8133b08d8e8be0f13b97b97b8d11b0d39a4aee1b844bf56023dab
                                  • Opcode Fuzzy Hash: 1f8ecc5f1b950467ccaa959e694e7131de6b1743d5fcb3673c0431bb2f137ad2
                                  • Instruction Fuzzy Hash: E661C132A4090A9BCB04EB25CB53F7877B1AB04B04BA4845DF446AB265C739FD85FB41
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 00FE7D80
                                  • SetTextColor.GDI32(?,00FE7A54), ref: 00FE7D84
                                  • GetSysColorBrush.USER32(0000000F), ref: 00FE7D9A
                                  • GetSysColor.USER32(0000000F), ref: 00FE7DA5
                                  • CreateSolidBrush.GDI32(?), ref: 00FE7DAA
                                  • GetSysColor.USER32(00000011), ref: 00FE7DC2
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FE7DD0
                                  • SelectObject.GDI32(?,00000000), ref: 00FE7DE1
                                  • SetBkColor.GDI32(?,?), ref: 00FE7DEA
                                  • SelectObject.GDI32(?,?), ref: 00FE7DF7
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00FE7E16
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FE7E2D
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE7E3A
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FE7E89
                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FE7EB3
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00FE7ED1
                                  • DrawFocusRect.USER32(?,?), ref: 00FE7EDC
                                  • GetSysColor.USER32(00000011), ref: 00FE7EED
                                  • SetTextColor.GDI32(?,00000000), ref: 00FE7EF5
                                  • DrawTextW.USER32(?,00FE7A54,000000FF,?,00000000), ref: 00FE7F07
                                  • SelectObject.GDI32(?,?), ref: 00FE7F1E
                                  • DeleteObject.GDI32(?), ref: 00FE7F29
                                  • SelectObject.GDI32(?,?), ref: 00FE7F2F
                                  • DeleteObject.GDI32(?), ref: 00FE7F34
                                  • SetTextColor.GDI32(?,?), ref: 00FE7F3A
                                  • SetBkColor.GDI32(?,?), ref: 00FE7F44
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 1996641542-0
                                  • Opcode ID: f12eea0bb3f2a01f3fd4855e8c0de24402a24d52754db2da0e856e6a27505518
                                  • Instruction ID: ab2b64ea1d3e4479932a29a7cc830dba02d0a043fb989505b5413d2fc4755bf9
                                  • Opcode Fuzzy Hash: f12eea0bb3f2a01f3fd4855e8c0de24402a24d52754db2da0e856e6a27505518
                                  • Instruction Fuzzy Hash: A5615C72D00258AFDB11AFA4DC89EEEBBB9EF48320F144115F915AB2A0D7759D40EF90
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00FE1A87
                                  • GetDesktopWindow.USER32 ref: 00FE1A9C
                                  • GetWindowRect.USER32(00000000), ref: 00FE1AA3
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE1AF8
                                  • DestroyWindow.USER32(?), ref: 00FE1B18
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FE1B4C
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE1B6A
                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FE1B7C
                                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00FE1B91
                                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FE1BA4
                                  • IsWindowVisible.USER32(00000000), ref: 00FE1C00
                                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FE1C1B
                                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FE1C2F
                                  • GetWindowRect.USER32(00000000,?), ref: 00FE1C47
                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00FE1C6D
                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00FE1C87
                                  • CopyRect.USER32(?,?), ref: 00FE1C9E
                                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 00FE1D09
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                  • String ID: ($0$tooltips_class32
                                  • API String ID: 698492251-4156429822
                                  • Opcode ID: 29edad6337d0d94a89d948511e58ba9839cc17b040e758a1c80ab01ce348487f
                                  • Instruction ID: ce7e618d94dab5cca4b7b838c2fcc70bc93ea6cf4a4dbe3668d891d6bb85a643
                                  • Opcode Fuzzy Hash: 29edad6337d0d94a89d948511e58ba9839cc17b040e758a1c80ab01ce348487f
                                  • Instruction Fuzzy Hash: 02B18C71604380AFD714DF66C884BAABBE4FF84350F00891DF99A9B261D735EC45EB92
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 00FE0C44
                                  • _wcslen.LIBCMT ref: 00FE0C7E
                                  • _wcslen.LIBCMT ref: 00FE0CE8
                                  • _wcslen.LIBCMT ref: 00FE0D50
                                  • _wcslen.LIBCMT ref: 00FE0DD4
                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FE0E24
                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE0E63
                                    • Part of subcall function 00F6FD60: _wcslen.LIBCMT ref: 00F6FD6B
                                    • Part of subcall function 00FB2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FB2AE8
                                    • Part of subcall function 00FB2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FB2B1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                  • API String ID: 1103490817-719923060
                                  • Opcode ID: 4c74bd0e48d9315cfc1e4d1c1480a834cd5532905c9e01c3eaf3328e68b32e4e
                                  • Instruction ID: 1dbc7c2659623507aed375dc38a13fde6098390b91367cda20bc9538c0fda20c
                                  • Opcode Fuzzy Hash: 4c74bd0e48d9315cfc1e4d1c1480a834cd5532905c9e01c3eaf3328e68b32e4e
                                  • Instruction Fuzzy Hash: EAE1F5326043818FC724DF2AC84092AB7E2FF94324B14895DF8969B391DF78ED85EB41
                                  APIs
                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F5259A
                                  • GetSystemMetrics.USER32(00000007), ref: 00F525A2
                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F525CD
                                  • GetSystemMetrics.USER32(00000008), ref: 00F525D5
                                  • GetSystemMetrics.USER32(00000004), ref: 00F525FA
                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F52617
                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F52627
                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F5265A
                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F5266E
                                  • GetClientRect.USER32(00000000,000000FF), ref: 00F5268C
                                  • GetStockObject.GDI32(00000011), ref: 00F526A8
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F526B3
                                    • Part of subcall function 00F519CD: GetCursorPos.USER32(?), ref: 00F519E1
                                    • Part of subcall function 00F519CD: ScreenToClient.USER32(00000000,?), ref: 00F519FE
                                    • Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000001), ref: 00F51A23
                                    • Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000002), ref: 00F51A3D
                                  • SetTimer.USER32(00000000,00000000,00000028,00F5199C), ref: 00F526DA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                  • String ID: AutoIt v3 GUI
                                  • API String ID: 1458621304-248962490
                                  • Opcode ID: a83c44ce33bcaf8066d8926ff41c998bbce64c91c2b4290dc7791a39f248e803
                                  • Instruction ID: 6aab32665a8697fd30b30a78cf2a9bc5f7aa70ec9cdae9449995396eba8f0358
                                  • Opcode Fuzzy Hash: a83c44ce33bcaf8066d8926ff41c998bbce64c91c2b4290dc7791a39f248e803
                                  • Instruction Fuzzy Hash: 52B15871A0020A9FDF14DFA8CC85BAE7BB5FB48315F104219FA1AAB290D774E944EF51
                                  APIs
                                    • Part of subcall function 00FB1989: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB19A4
                                    • Part of subcall function 00FB1989: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19B0
                                    • Part of subcall function 00FB1989: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19BF
                                    • Part of subcall function 00FB1989: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19C6
                                    • Part of subcall function 00FB1989: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB19DD
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FB1685
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FB16B9
                                  • GetLengthSid.ADVAPI32(?), ref: 00FB16D0
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00FB170A
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FB1726
                                  • GetLengthSid.ADVAPI32(?), ref: 00FB173D
                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FB1745
                                  • HeapAlloc.KERNEL32(00000000), ref: 00FB174C
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FB176D
                                  • CopySid.ADVAPI32(00000000), ref: 00FB1774
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FB17A3
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FB17C5
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FB17D7
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB17FE
                                  • HeapFree.KERNEL32(00000000), ref: 00FB1805
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB180E
                                  • HeapFree.KERNEL32(00000000), ref: 00FB1815
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB181E
                                  • HeapFree.KERNEL32(00000000), ref: 00FB1825
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB1831
                                  • HeapFree.KERNEL32(00000000), ref: 00FB1838
                                    • Part of subcall function 00FB1A23: GetProcessHeap.KERNEL32(00000008,00FB1441,?,00000000,?,00FB1441,?), ref: 00FB1A31
                                    • Part of subcall function 00FB1A23: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FB1441,?), ref: 00FB1A38
                                    • Part of subcall function 00FB1A23: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FB1441,?), ref: 00FB1A47
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                  • String ID:
                                  • API String ID: 4175595110-0
                                  • Opcode ID: 82f19f8aac16b16f191f8cae63468917e4d9cd1e667c7ac2ba09f8ca778116ec
                                  • Instruction ID: 4fd06dbe72daed95d416d226699bf58432f705261a154c3fd05fc604e1df6064
                                  • Opcode Fuzzy Hash: 82f19f8aac16b16f191f8cae63468917e4d9cd1e667c7ac2ba09f8ca778116ec
                                  • Instruction Fuzzy Hash: 5E714BB2900209ABDB109FA6DC95FEEBBB8FF04310F548115E915EB191DB359A05DF60
                                  APIs
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDCE1C
                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00FEDCD0,00000000,?,00000000,?,?), ref: 00FDCEA3
                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FDCF03
                                  • _wcslen.LIBCMT ref: 00FDCF53
                                  • _wcslen.LIBCMT ref: 00FDCFCE
                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FDD011
                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FDD120
                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FDD1AC
                                  • RegCloseKey.ADVAPI32(?), ref: 00FDD1E0
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00FDD1ED
                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FDD2BF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                  • API String ID: 9721498-966354055
                                  • Opcode ID: 56351695c871a86ac9587619238fa6ab1c600dc3f959532e071d51485809fcd9
                                  • Instruction ID: 7cfc94d742cbea39f7b59dfa9c8a213a0d1e5c037b17d17e82ddcf7ee7b545e2
                                  • Opcode Fuzzy Hash: 56351695c871a86ac9587619238fa6ab1c600dc3f959532e071d51485809fcd9
                                  • Instruction Fuzzy Hash: 9B1269356042019FD715DF14C881B2AB7E6FF88764F08845EF98A9B3A2CB35ED45DB81
                                  APIs
                                  • CharUpperBuffW.USER32(?,?), ref: 00FE1325
                                  • _wcslen.LIBCMT ref: 00FE1360
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE13B3
                                  • _wcslen.LIBCMT ref: 00FE13E9
                                  • _wcslen.LIBCMT ref: 00FE1465
                                  • _wcslen.LIBCMT ref: 00FE14E0
                                    • Part of subcall function 00F6FD60: _wcslen.LIBCMT ref: 00F6FD6B
                                    • Part of subcall function 00FB3478: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FB348A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                  • API String ID: 1103490817-4258414348
                                  • Opcode ID: 7ea77335103d06a383f4eb02fac4c70c0a47a28f44b1150445c10ce11b6528b2
                                  • Instruction ID: 38b3e3659fff885e4648e5c28e04d68874a4abe3caef687ed7539d5d8c38581b
                                  • Opcode Fuzzy Hash: 7ea77335103d06a383f4eb02fac4c70c0a47a28f44b1150445c10ce11b6528b2
                                  • Instruction Fuzzy Hash: 3CE1C0326043818FC714EF26C84086AB7E2FF95354F14895DF8969B7A1DB34ED45EB81
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$BuffCharUpper
                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                  • API String ID: 1256254125-909552448
                                  • Opcode ID: 7adbc8e5e6f0af2305caa75c8c126de1d9d8bc85e90a0236d9b7650b8f661220
                                  • Instruction ID: 53f14f2c1ad8d11fd64de1ca0efbf163aeea2a19e0e150c67c99fd3fd2f46070
                                  • Opcode Fuzzy Hash: 7adbc8e5e6f0af2305caa75c8c126de1d9d8bc85e90a0236d9b7650b8f661220
                                  • Instruction Fuzzy Hash: 8871D533E0011A8BCB20DE7CDD406BE33A3AB62764F2D4517EC559B384EA39ED44A391
                                  APIs
                                  • _wcslen.LIBCMT ref: 00FE8CB9
                                  • _wcslen.LIBCMT ref: 00FE8CCD
                                  • _wcslen.LIBCMT ref: 00FE8CF0
                                  • _wcslen.LIBCMT ref: 00FE8D13
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FE8D51
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FE6551), ref: 00FE8DAD
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FE8DE6
                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FE8E29
                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FE8E60
                                  • FreeLibrary.KERNEL32(?), ref: 00FE8E6C
                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FE8E7C
                                  • DestroyIcon.USER32(?,?,?,?,?,00FE6551), ref: 00FE8E8B
                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FE8EA8
                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FE8EB4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                  • String ID: .dll$.exe$.icl
                                  • API String ID: 799131459-1154884017
                                  • Opcode ID: dd4f5b1c089c187ea0601d8c889147392b5b353a060911151b71493812e206dc
                                  • Instruction ID: 183d18e32c45d7be9f9933d41feb81fe9b63c1e02c4449c25b7d24e64cbb7cea
                                  • Opcode Fuzzy Hash: dd4f5b1c089c187ea0601d8c889147392b5b353a060911151b71493812e206dc
                                  • Instruction Fuzzy Hash: 5161E571900259FEEB14EF65CC81BBE77A8BF04761F108506FD19DA1D0DB78AA41EBA0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 0-1645009161
                                  • Opcode ID: c29d38ac8be840be0714e5a1845fd239a5e643dc59a9ea5c9f9ef9d092dea0e3
                                  • Instruction ID: 720316c68ec12f962d750d3b894e432a3cfa8530a67d41ed04c51e0d3c5f266b
                                  • Opcode Fuzzy Hash: c29d38ac8be840be0714e5a1845fd239a5e643dc59a9ea5c9f9ef9d092dea0e3
                                  • Instruction Fuzzy Hash: 2A814971A44206BBDF11AF65CC03FAE77A4AF15751F044021FE099B182EBB8EA19F752
                                  APIs
                                  • CharLowerBuffW.USER32(?,?), ref: 00FC4852
                                  • _wcslen.LIBCMT ref: 00FC485D
                                  • _wcslen.LIBCMT ref: 00FC48B4
                                  • _wcslen.LIBCMT ref: 00FC48F2
                                  • GetDriveTypeW.KERNEL32(?), ref: 00FC4930
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC4978
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC49B3
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC49E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: SendString_wcslen$BuffCharDriveLowerType
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 1839972693-4113822522
                                  • Opcode ID: 161b2e57c5311baaf82ad56e557c45c94ff50949ee8bb9f9976e871405088e31
                                  • Instruction ID: 50aa9737bab92edf93ee201da502956e891bc6f5bd962a4914935f94bd20123b
                                  • Opcode Fuzzy Hash: 161b2e57c5311baaf82ad56e557c45c94ff50949ee8bb9f9976e871405088e31
                                  • Instruction Fuzzy Hash: 657112329042168FC310EF24C992A6BB7E4FF94364F00491DF895972A1EB38ED49EB91
                                  APIs
                                  • LoadIconW.USER32(00000063), ref: 00FB62BD
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FB62CF
                                  • SetWindowTextW.USER32(?,?), ref: 00FB62E6
                                  • GetDlgItem.USER32(?,000003EA), ref: 00FB62FB
                                  • SetWindowTextW.USER32(00000000,?), ref: 00FB6301
                                  • GetDlgItem.USER32(?,000003E9), ref: 00FB6311
                                  • SetWindowTextW.USER32(00000000,?), ref: 00FB6317
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FB6338
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FB6352
                                  • GetWindowRect.USER32(?,?), ref: 00FB635B
                                  • _wcslen.LIBCMT ref: 00FB63C2
                                  • SetWindowTextW.USER32(?,?), ref: 00FB63FE
                                  • GetDesktopWindow.USER32 ref: 00FB6404
                                  • GetWindowRect.USER32(00000000), ref: 00FB640B
                                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FB6462
                                  • GetClientRect.USER32(?,?), ref: 00FB646F
                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 00FB6494
                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FB64BE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                  • String ID:
                                  • API String ID: 895679908-0
                                  • Opcode ID: f4587774521f120c7ac544afa08f292ef0a8eac2b98663169c73c41e3d8b7757
                                  • Instruction ID: 4a9b7644340df82dca71b6ab023f8e5d131fb16cc5b702626a82b38987700a7c
                                  • Opcode Fuzzy Hash: f4587774521f120c7ac544afa08f292ef0a8eac2b98663169c73c41e3d8b7757
                                  • Instruction Fuzzy Hash: 8D717E31900609EFDB20DFA9CE85BAEBBF5FF48714F104529E146E66A0D779A940EF10
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00FD0784
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00FD078F
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00FD079A
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00FD07A5
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00FD07B0
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00FD07BB
                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00FD07C6
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00FD07D1
                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00FD07DC
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00FD07E7
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00FD07F2
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00FD07FD
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00FD0808
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00FD0813
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00FD081E
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00FD0829
                                  • GetCursorInfo.USER32(?), ref: 00FD0839
                                  • GetLastError.KERNEL32 ref: 00FD087B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Cursor$Load$ErrorInfoLast
                                  • String ID:
                                  • API String ID: 3215588206-0
                                  • Opcode ID: 93b0e8e1c6c99e2d55d3bc5918c5e3c8873eae9bb48eb8882ecc0992977190e2
                                  • Instruction ID: 1aebdb10f95c0f11cef54c7337497ec29bd8fbf47e87e11ce534d365be25dfd2
                                  • Opcode Fuzzy Hash: 93b0e8e1c6c99e2d55d3bc5918c5e3c8873eae9bb48eb8882ecc0992977190e2
                                  • Instruction Fuzzy Hash: 194185B0D083196EDB10DFBA8C8595EBFE9FF04364B54452AE11CEB291DA78E901DF90
                                  APIs
                                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F70456
                                    • Part of subcall function 00F7047D: InitializeCriticalSectionAndSpinCount.KERNEL32(0102170C,00000FA0,6C285056,?,?,?,?,00F92753,000000FF), ref: 00F704AC
                                    • Part of subcall function 00F7047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F92753,000000FF), ref: 00F704B7
                                    • Part of subcall function 00F7047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F92753,000000FF), ref: 00F704C8
                                    • Part of subcall function 00F7047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F704DE
                                    • Part of subcall function 00F7047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F704EC
                                    • Part of subcall function 00F7047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F704FA
                                    • Part of subcall function 00F7047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F70525
                                    • Part of subcall function 00F7047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F70530
                                  • ___scrt_fastfail.LIBCMT ref: 00F70477
                                    • Part of subcall function 00F70433: __onexit.LIBCMT ref: 00F70439
                                  Strings
                                  • WakeAllConditionVariable, xrefs: 00F704F2
                                  • kernel32.dll, xrefs: 00F704C3
                                  • SleepConditionVariableCS, xrefs: 00F704E4
                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F704B2
                                  • InitializeConditionVariable, xrefs: 00F704D8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                  • API String ID: 66158676-1714406822
                                  • Opcode ID: 769d0d7cd56126f9c052831cae63d786410ca2d6115822a605d4853e4b6e524d
                                  • Instruction ID: 10eef68d3a88278f24beb397b4f4b74172102dbdbcf0e79791a256fce11b1ade
                                  • Opcode Fuzzy Hash: 769d0d7cd56126f9c052831cae63d786410ca2d6115822a605d4853e4b6e524d
                                  • Instruction Fuzzy Hash: 2321FC32A40354EBD7205FA4AC45B2977E4EF44B65F14812BF9099A690DFB8DC00AA53
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                  • API String ID: 176396367-1603158881
                                  • Opcode ID: f95ca1c602cf4e6c08e199e70f3d7753727bf481e3293355634f3a328ccf89d2
                                  • Instruction ID: f0339dd35bcf8b60c1c24868448b806538c3f02c86806494ffe95cf89d43efb3
                                  • Opcode Fuzzy Hash: f95ca1c602cf4e6c08e199e70f3d7753727bf481e3293355634f3a328ccf89d2
                                  • Instruction Fuzzy Hash: 1CE1F632E40519ABCB149FBACC417EDFBB5BF44720F14811AE556E7250DB34AE88EB90
                                  APIs
                                  • CharLowerBuffW.USER32(00000000,00000000,00FEDCD0), ref: 00FC4E81
                                  • _wcslen.LIBCMT ref: 00FC4E95
                                  • _wcslen.LIBCMT ref: 00FC4EF3
                                  • _wcslen.LIBCMT ref: 00FC4F4E
                                  • _wcslen.LIBCMT ref: 00FC4F99
                                  • _wcslen.LIBCMT ref: 00FC5001
                                    • Part of subcall function 00F6FD60: _wcslen.LIBCMT ref: 00F6FD6B
                                  • GetDriveTypeW.KERNEL32(?,01017C10,00000061), ref: 00FC509D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$BuffCharDriveLowerType
                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 2055661098-1000479233
                                  • Opcode ID: 51fc185cfcfa318ef33d6c78245e47fdf037d4e13bb47e5e391925ab130f67ad
                                  • Instruction ID: 0e2bfb9f7ba1b9702d99013d0593cd66be64e64fbf4cba75706132b03408af45
                                  • Opcode Fuzzy Hash: 51fc185cfcfa318ef33d6c78245e47fdf037d4e13bb47e5e391925ab130f67ad
                                  • Instruction Fuzzy Hash: 5CB1D431A083039FC710DF28CA92F6AB7E5BF94760F50491DF595C7292DB34E885E692
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00FEDCD0), ref: 00FD4A18
                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FD4A2A
                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FEDCD0), ref: 00FD4A4F
                                  • FreeLibrary.KERNEL32(00000000,?,00FEDCD0), ref: 00FD4A9B
                                  • StringFromGUID2.OLE32(?,?,00000028,?,00FEDCD0), ref: 00FD4B05
                                  • SysFreeString.OLEAUT32(00000009), ref: 00FD4BBF
                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FD4C25
                                  • SysFreeString.OLEAUT32(?), ref: 00FD4C4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                  • String ID: GetModuleHandleExW$kernel32.dll
                                  • API String ID: 354098117-199464113
                                  • Opcode ID: 2a155f26ba9e57acc6a47a1aaf9ec9f6df82f7c60793db8c7ec71e045af5fc7c
                                  • Instruction ID: 4c9c06cc74e45c8f6cae0c68089256a1a9320294798a365c16ec455d1721cd13
                                  • Opcode Fuzzy Hash: 2a155f26ba9e57acc6a47a1aaf9ec9f6df82f7c60793db8c7ec71e045af5fc7c
                                  • Instruction Fuzzy Hash: B9123C71A00109EFDB14DF54C884EAEB7B6FF85314F188099E915AB261D731FD46DBA0
                                  APIs
                                  • GetMenuItemCount.USER32(01022990), ref: 00F93F4C
                                  • GetMenuItemCount.USER32(01022990), ref: 00F93FFC
                                  • GetCursorPos.USER32(?), ref: 00F94040
                                  • SetForegroundWindow.USER32(00000000), ref: 00F94049
                                  • TrackPopupMenuEx.USER32(01022990,00000000,?,00000000,00000000,00000000), ref: 00F9405C
                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F94068
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                  • String ID: 0
                                  • API String ID: 36266755-4108050209
                                  • Opcode ID: 8b18792bf7b39b2cbd414602f97c81689063384f68dc01c242cbb21200c1900a
                                  • Instruction ID: bcff0f7cc19f9efc15356c5524814f9cfcd4bf2cc3abffaa54cbef72e94ac4eb
                                  • Opcode Fuzzy Hash: 8b18792bf7b39b2cbd414602f97c81689063384f68dc01c242cbb21200c1900a
                                  • Instruction Fuzzy Hash: 45712871A04205BAFF249F69DC49FAABF68FF04368F144206F6156A1E0C7B1AD14FB91
                                  APIs
                                  • DestroyWindow.USER32(00000000,?), ref: 00FE774A
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FE77BE
                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FE77E0
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE77F3
                                  • DestroyWindow.USER32(?), ref: 00FE7814
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F50000,00000000), ref: 00FE7843
                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE785C
                                  • GetDesktopWindow.USER32 ref: 00FE7875
                                  • GetWindowRect.USER32(00000000), ref: 00FE787C
                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FE7894
                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FE78AC
                                    • Part of subcall function 00F521E4: GetWindowLongW.USER32(?,000000EB), ref: 00F521F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                  • String ID: 0$tooltips_class32
                                  • API String ID: 2429346358-3619404913
                                  • Opcode ID: cdd1e337964f0ac57fb3e05a2205d952980beb40d886f1a4d4e18cf0a681a25b
                                  • Instruction ID: 070203e36eca0ae8271d2620f95c18ecde52c9e0c27a0baec646ee260e8b5f24
                                  • Opcode Fuzzy Hash: cdd1e337964f0ac57fb3e05a2205d952980beb40d886f1a4d4e18cf0a681a25b
                                  • Instruction Fuzzy Hash: 27719A74508384AFE721DF59CC48F6ABBEAFB99310F24051DF9858B261C775AA02EB11
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • DragQueryPoint.SHELL32(?,?), ref: 00FE9AA6
                                    • Part of subcall function 00FE7FD3: ClientToScreen.USER32(?,?), ref: 00FE7FF9
                                    • Part of subcall function 00FE7FD3: GetWindowRect.USER32(?,?), ref: 00FE806F
                                    • Part of subcall function 00FE7FD3: PtInRect.USER32(?,?,?), ref: 00FE807F
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00FE9B0F
                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FE9B1A
                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FE9B3D
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FE9B84
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00FE9B9D
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00FE9BB4
                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00FE9BD6
                                  • DragFinish.SHELL32(?), ref: 00FE9BDD
                                  • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00FE9CD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                  • API String ID: 221274066-3440237614
                                  • Opcode ID: 97a3037299d11d40ca1182dc8325c037485e23aa195c02981006f6ecf3a78c1f
                                  • Instruction ID: ffc298ead1cc5eda7efdc77966f6fef0d4cc7f5b5d8a5eb3227c65cf6adeab27
                                  • Opcode Fuzzy Hash: 97a3037299d11d40ca1182dc8325c037485e23aa195c02981006f6ecf3a78c1f
                                  • Instruction Fuzzy Hash: D0618C71108345AFC701EF61DC85E9FBBE8EFC8350F00091EFA959A1A1DB749A49DB62
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FCCE0D
                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FCCE20
                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FCCE34
                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FCCE4D
                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FCCE90
                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FCCEA6
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FCCEB1
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FCCEE1
                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FCCF39
                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FCCF4D
                                  • InternetCloseHandle.WININET(00000000), ref: 00FCCF58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                  • String ID:
                                  • API String ID: 3800310941-3916222277
                                  • Opcode ID: 43328b87723bb5b6046e10d77675d41f0a21d72d0ef38cc6779eedaac99c0cf2
                                  • Instruction ID: 7ac3633c1a13d0304c3fcdcb141d20a324f8c7a8b1423c965e8db896ec24cfb1
                                  • Opcode Fuzzy Hash: 43328b87723bb5b6046e10d77675d41f0a21d72d0ef38cc6779eedaac99c0cf2
                                  • Instruction Fuzzy Hash: 1D515DB190060ABFDB219F60CE89FAA7BBDFF08754F00841DF9499A510D735D944EBA0
                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00FE8EF1
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FE8F01
                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FE8F0C
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FE8F19
                                  • GlobalLock.KERNEL32(00000000), ref: 00FE8F27
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FE8F36
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00FE8F3F
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FE8F46
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FE8F57
                                  • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00FF0C04,?), ref: 00FE8F70
                                  • GlobalFree.KERNEL32(00000000), ref: 00FE8F80
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00FE8FA0
                                  • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FE8FD0
                                  • DeleteObject.GDI32(?), ref: 00FE8FF8
                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FE900E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                  • String ID:
                                  • API String ID: 3840717409-0
                                  • Opcode ID: a8a7c16bee53548e846ad8669d7c00747d54712c0040c27eee96dd4bc6b75ea5
                                  • Instruction ID: dcfef463f8b99b5a066f7d3756b99684c09fd19abdb885d7c3fccf0d645f6c3f
                                  • Opcode Fuzzy Hash: a8a7c16bee53548e846ad8669d7c00747d54712c0040c27eee96dd4bc6b75ea5
                                  • Instruction Fuzzy Hash: C3412B75A00288AFDB11DF65DC88EAA7BB9FF89761F104059F909DB260DB709D01EB20
                                  APIs
                                  • VariantInit.OLEAUT32(00000000), ref: 00FC1DD6
                                  • VariantCopy.OLEAUT32(?,?), ref: 00FC1DDF
                                  • VariantClear.OLEAUT32(?), ref: 00FC1DEB
                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FC1ECF
                                  • VarR8FromDec.OLEAUT32(?,?), ref: 00FC1F2B
                                  • VariantInit.OLEAUT32(?), ref: 00FC1FDC
                                  • SysFreeString.OLEAUT32(?), ref: 00FC2060
                                  • VariantClear.OLEAUT32(?), ref: 00FC20AC
                                  • VariantClear.OLEAUT32(?), ref: 00FC20BB
                                  • VariantInit.OLEAUT32(00000000), ref: 00FC20F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                  • API String ID: 1234038744-3931177956
                                  • Opcode ID: 52e71571a31935772953014ed899803aa1720fdb5ad68905f854a431676475cd
                                  • Instruction ID: c1929478aec818ddce766b27474de9764573be4eb07d9429c7f85f3d4ec31d58
                                  • Opcode Fuzzy Hash: 52e71571a31935772953014ed899803aa1720fdb5ad68905f854a431676475cd
                                  • Instruction Fuzzy Hash: 58D10172A00516DBDB20DF65C986F69B7B4FF06710F24845AF805EB182CB74AC64FBA1
                                  APIs
                                  • GetDC.USER32(00000000), ref: 00FD2F35
                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FD2F45
                                  • CreateCompatibleDC.GDI32(?), ref: 00FD2F51
                                  • SelectObject.GDI32(00000000,?), ref: 00FD2F5E
                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FD2FCA
                                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FD3009
                                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FD302D
                                  • SelectObject.GDI32(?,?), ref: 00FD3035
                                  • DeleteObject.GDI32(?), ref: 00FD303E
                                  • DeleteDC.GDI32(?), ref: 00FD3045
                                  • ReleaseDC.USER32(00000000,?), ref: 00FD3050
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                  • String ID: (
                                  • API String ID: 2598888154-3887548279
                                  • Opcode ID: bc96245d85388c3577615babae21167a7c77b7854d12acc0b3b782265865d709
                                  • Instruction ID: 006134f66ddfc92d4451ab97d56e7c4970b51283627d976e52f5d7c913d5dd25
                                  • Opcode Fuzzy Hash: bc96245d85388c3577615babae21167a7c77b7854d12acc0b3b782265865d709
                                  • Instruction Fuzzy Hash: D761F3B5D00219EFCF04CFA4DC84AAEBBB6FF48310F24852AE555A7250D775A941DF90
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 00F8DE41
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8D9F9
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA0B
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA1D
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA2F
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA41
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA53
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA65
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA77
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA89
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DA9B
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DAAD
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DABF
                                    • Part of subcall function 00F8D9DC: _free.LIBCMT ref: 00F8DAD1
                                  • _free.LIBCMT ref: 00F8DE36
                                    • Part of subcall function 00F82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4), ref: 00F82D6E
                                    • Part of subcall function 00F82D58: GetLastError.KERNEL32(01021DC4,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4,01021DC4), ref: 00F82D80
                                  • _free.LIBCMT ref: 00F8DE58
                                  • _free.LIBCMT ref: 00F8DE6D
                                  • _free.LIBCMT ref: 00F8DE78
                                  • _free.LIBCMT ref: 00F8DE9A
                                  • _free.LIBCMT ref: 00F8DEAD
                                  • _free.LIBCMT ref: 00F8DEBB
                                  • _free.LIBCMT ref: 00F8DEC6
                                  • _free.LIBCMT ref: 00F8DEFE
                                  • _free.LIBCMT ref: 00F8DF05
                                  • _free.LIBCMT ref: 00F8DF22
                                  • _free.LIBCMT ref: 00F8DF3A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: b22928286440b2a83aafc6474d019ac7f5b850472945a008a68aec8b5dd8150c
                                  • Instruction ID: 0e3fe39ca5c6e723f8230c05ac352ede9a8df73dd873adbaa15fa614ea623382
                                  • Opcode Fuzzy Hash: b22928286440b2a83aafc6474d019ac7f5b850472945a008a68aec8b5dd8150c
                                  • Instruction Fuzzy Hash: 36315A72A007059FEB60BA39DD49BDA77E9EF10320F108519E959DB1A1DF78BC81EB10
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00FB3F2B
                                  • _wcslen.LIBCMT ref: 00FB3F36
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FB4026
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00FB409B
                                  • GetDlgCtrlID.USER32(?), ref: 00FB40EC
                                  • GetWindowRect.USER32(?,?), ref: 00FB4111
                                  • GetParent.USER32(?), ref: 00FB412F
                                  • ScreenToClient.USER32(00000000), ref: 00FB4136
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00FB41B0
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00FB41EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                  • String ID: %s%u
                                  • API String ID: 4010501982-679674701
                                  • Opcode ID: bd20e106de787824318c87a68abefa195d485ab989d6819946fa4df9367b2302
                                  • Instruction ID: d433616638b19aeb947c4b10822f75e3a78c475600abdb843c2c6783d491bd73
                                  • Opcode Fuzzy Hash: bd20e106de787824318c87a68abefa195d485ab989d6819946fa4df9367b2302
                                  • Instruction Fuzzy Hash: C9910171A04206AFD719DF25C984BEAB7A8FF44360F008529FA99C6192DB30F945EF91
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00FB5223
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00FB5269
                                  • _wcslen.LIBCMT ref: 00FB527A
                                  • CharUpperBuffW.USER32(?,00000000), ref: 00FB5286
                                  • _wcsstr.LIBVCRUNTIME ref: 00FB52BB
                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00FB52F3
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00FB532C
                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00FB5375
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00FB53AF
                                  • GetWindowRect.USER32(?,?), ref: 00FB541A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                  • String ID: ThumbnailClass
                                  • API String ID: 1311036022-1241985126
                                  • Opcode ID: edc812f5750e0b727fa4a88a829a2b5868dddc6b0d3e54bb47d8f67bd5afa97e
                                  • Instruction ID: 90bae84f460e8bbb3d4f32eb59fde28e2d950a7fedc7b600ccddb75e35125506
                                  • Opcode Fuzzy Hash: edc812f5750e0b727fa4a88a829a2b5868dddc6b0d3e54bb47d8f67bd5afa97e
                                  • Instruction Fuzzy Hash: 5691E0715046059FCB04CF12C880BEA77E9FF44B64F04842AFD8A8A192DB38ED45EFA1
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FE96B9
                                  • GetFocus.USER32 ref: 00FE96C9
                                  • GetDlgCtrlID.USER32(00000000), ref: 00FE96D4
                                  • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00FE977C
                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FE982E
                                  • GetMenuItemCount.USER32(?), ref: 00FE984B
                                  • GetMenuItemID.USER32(?,00000000), ref: 00FE985B
                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FE988D
                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FE98CF
                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FE9900
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                  • String ID: 0
                                  • API String ID: 1026556194-4108050209
                                  • Opcode ID: cf2c117ba0594cc4cc3d08757bdeb53bc6c82e3311e07b8981ce21804bdb9705
                                  • Instruction ID: cfacfa9cb930861bb04614647f61a7bae70f5086fc465c7bb659bdbd2e285ffe
                                  • Opcode Fuzzy Hash: cf2c117ba0594cc4cc3d08757bdeb53bc6c82e3311e07b8981ce21804bdb9705
                                  • Instruction Fuzzy Hash: AA81CE719083859FD720CF26CC84A6B7BE8FF89364F14091AF98597291D7B1D904EBB2
                                  APIs
                                  • GetMenuItemInfoW.USER32(01022990,000000FF,00000000,00000030), ref: 00FBC888
                                  • SetMenuItemInfoW.USER32(01022990,00000004,00000000,00000030), ref: 00FBC8BD
                                  • Sleep.KERNEL32(000001F4), ref: 00FBC8CF
                                  • GetMenuItemCount.USER32(?), ref: 00FBC915
                                  • GetMenuItemID.USER32(?,00000000), ref: 00FBC932
                                  • GetMenuItemID.USER32(?,-00000001), ref: 00FBC95E
                                  • GetMenuItemID.USER32(?,?), ref: 00FBC9A5
                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FBC9EB
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FBCA00
                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FBCA21
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info$CheckCountRadioSleep
                                  • String ID: 0
                                  • API String ID: 1460738036-4108050209
                                  • Opcode ID: 0bca6f381e910c7845893a33f3d9c7f558b238ff09e1967238e21012c1ea4530
                                  • Instruction ID: d344271ff17de4be43b5e202924b4043f839b082973781ea14189824330b3d92
                                  • Opcode Fuzzy Hash: 0bca6f381e910c7845893a33f3d9c7f558b238ff09e1967238e21012c1ea4530
                                  • Instruction Fuzzy Hash: FB617C7190024AABEF21CF65CC98AFFBFA8FB45314F144019E851A7291D739AD05EFA0
                                  APIs
                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FBE3E9
                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FBE40F
                                  • _wcslen.LIBCMT ref: 00FBE419
                                  • _wcsstr.LIBVCRUNTIME ref: 00FBE469
                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FBE485
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                  • API String ID: 1939486746-1459072770
                                  • Opcode ID: 7d812062f90b271d2d229115a3408c8ba90dade0afff58822fd564c5e3292b45
                                  • Instruction ID: 8f14f73fcf06e6f721378692c59ce62f54ce622ae00b503476acbd2c94d60e00
                                  • Opcode Fuzzy Hash: 7d812062f90b271d2d229115a3408c8ba90dade0afff58822fd564c5e3292b45
                                  • Instruction Fuzzy Hash: 5B412C729402047BEB10AB658C47EFF3B6CDF55720F14406BF904E6182EBBCDA01B6A2
                                  APIs
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FDD5C3
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FDD5EC
                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FDD6A7
                                    • Part of subcall function 00FDD593: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FDD609
                                    • Part of subcall function 00FDD593: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FDD61C
                                    • Part of subcall function 00FDD593: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FDD62E
                                    • Part of subcall function 00FDD593: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FDD664
                                    • Part of subcall function 00FDD593: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FDD687
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FDD652
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                  • API String ID: 2734957052-4033151799
                                  • Opcode ID: f7f4dd8b30afb91f913098c6f824a2804690090fc72ad6f410200212e8e88a21
                                  • Instruction ID: 6833433ff1849477735875dbc436919cb5c3f7f6542f7022985383d4afaa02ba
                                  • Opcode Fuzzy Hash: f7f4dd8b30afb91f913098c6f824a2804690090fc72ad6f410200212e8e88a21
                                  • Instruction Fuzzy Hash: 4A316E71D0112DBBDB209B91DC88EFFBB7DEF45714F080166B906E6214DB349A46AAE0
                                  APIs
                                  • timeGetTime.WINMM ref: 00FBEEE0
                                    • Part of subcall function 00F6F27E: timeGetTime.WINMM(?,?,00FBEF00), ref: 00F6F282
                                  • Sleep.KERNEL32(0000000A), ref: 00FBEF0D
                                  • EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 00FBEF31
                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FBEF53
                                  • SetActiveWindow.USER32 ref: 00FBEF72
                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FBEF80
                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00FBEF9F
                                  • Sleep.KERNEL32(000000FA), ref: 00FBEFAA
                                  • IsWindow.USER32 ref: 00FBEFB6
                                  • EndDialog.USER32(00000000), ref: 00FBEFC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                  • String ID: BUTTON
                                  • API String ID: 1194449130-3405671355
                                  • Opcode ID: 968b58c31c495075d6cdbebab44c05bf35877675e0d3fdfb5bf010c2156aca8d
                                  • Instruction ID: 2dcbe121f9e50adca3cf356a903c1496339416abd1fd5052b2d80003fe1ffc1b
                                  • Opcode Fuzzy Hash: 968b58c31c495075d6cdbebab44c05bf35877675e0d3fdfb5bf010c2156aca8d
                                  • Instruction Fuzzy Hash: 9C216270140248AFEB306F61ECCDAA63B6EFB49354F214414F49599755CB7A9C40BF64
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FBF289
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FBF29F
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBF2B0
                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FBF2C2
                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FBF2D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: SendString$_wcslen
                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                  • API String ID: 2420728520-1007645807
                                  • Opcode ID: cac7304ea6da2d6e30b471b388555b3f2aa63d9281b86f065fd4549e7f148670
                                  • Instruction ID: 3d2678208d91b13cc2003407ccf1185614508e41512e84aff15bf50ae7854b19
                                  • Opcode Fuzzy Hash: cac7304ea6da2d6e30b471b388555b3f2aa63d9281b86f065fd4549e7f148670
                                  • Instruction Fuzzy Hash: 6B110235A9015D39D720A7A3CC4AEFF7A7CEFD2B10F400429B901A60D4EEA44D0DD9B0
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00FBA8EE
                                  • SetKeyboardState.USER32(?), ref: 00FBA959
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00FBA979
                                  • GetKeyState.USER32(000000A0), ref: 00FBA990
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00FBA9BF
                                  • GetKeyState.USER32(000000A1), ref: 00FBA9D0
                                  • GetAsyncKeyState.USER32(00000011), ref: 00FBA9FC
                                  • GetKeyState.USER32(00000011), ref: 00FBAA0A
                                  • GetAsyncKeyState.USER32(00000012), ref: 00FBAA33
                                  • GetKeyState.USER32(00000012), ref: 00FBAA41
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00FBAA6A
                                  • GetKeyState.USER32(0000005B), ref: 00FBAA78
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: cedf85cac4e06a8fc2193ece75d1000c84977ce64e8979e8ea6268d3d37a5da1
                                  • Instruction ID: d63eaeac62188aa081fd4c9a857a84c4ff5f8551383a1e4e31b777b86d07af3e
                                  • Opcode Fuzzy Hash: cedf85cac4e06a8fc2193ece75d1000c84977ce64e8979e8ea6268d3d37a5da1
                                  • Instruction Fuzzy Hash: 08510C30D0478869FB35DBB289507EABFB49F11350F488599C4C25B5C2DA58DA4CEF63
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 00FB6571
                                  • GetWindowRect.USER32(00000000,?), ref: 00FB658A
                                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FB65E8
                                  • GetDlgItem.USER32(?,00000002), ref: 00FB65F8
                                  • GetWindowRect.USER32(00000000,?), ref: 00FB660A
                                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FB665E
                                  • GetDlgItem.USER32(?,000003E9), ref: 00FB666C
                                  • GetWindowRect.USER32(00000000,?), ref: 00FB667E
                                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FB66C0
                                  • GetDlgItem.USER32(?,000003EA), ref: 00FB66D3
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FB66E9
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00FB66F6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: 1032ccb36d063bcf424f37f942390f86f806bc72e3958bb6152d765fe8d628a6
                                  • Instruction ID: 123f08fcfbd7b6173c10e9da622808a7ac1e59693bf2e217f09460068fc78093
                                  • Opcode Fuzzy Hash: 1032ccb36d063bcf424f37f942390f86f806bc72e3958bb6152d765fe8d628a6
                                  • Instruction Fuzzy Hash: 32511071E00209AFDF18CF69DD85AAEBBB6FB48310F148129F519EB690D7749D049F50
                                  APIs
                                    • Part of subcall function 00F51802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F51488,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F51865
                                  • DestroyWindow.USER32(?), ref: 00F51521
                                  • KillTimer.USER32(00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F515BB
                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00F929D4
                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F92A02
                                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F92A19
                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F5145A,00000000), ref: 00F92A35
                                  • DeleteObject.GDI32(00000000), ref: 00F92A47
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                  • String ID:
                                  • API String ID: 641708696-0
                                  • Opcode ID: 4a5a3fdceff5089d86f9feb55f653a58580857e9ffd88f4753ed71f11a42d736
                                  • Instruction ID: 74d4a4936177d9c18737f2d855d9e637dc7ca8b54f9e6b0c48d56be4b6e0c206
                                  • Opcode Fuzzy Hash: 4a5a3fdceff5089d86f9feb55f653a58580857e9ffd88f4753ed71f11a42d736
                                  • Instruction Fuzzy Hash: 7561BF32A01601EFDB35DF14D948B2577B1FB81323F244518E9824AA64C37ABD98FF80
                                  APIs
                                    • Part of subcall function 00F521E4: GetWindowLongW.USER32(?,000000EB), ref: 00F521F2
                                  • GetSysColor.USER32(0000000F), ref: 00F52102
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ColorLongWindow
                                  • String ID:
                                  • API String ID: 259745315-0
                                  • Opcode ID: 1e587e96dcbd1a47a6469ff93937d406ee98bb31274f35ebe488b70111c164c1
                                  • Instruction ID: 64561f8f7c9bc2da7ffe6b9d850553ed32656d5cc5c31e3cf95e48b0390d7040
                                  • Opcode Fuzzy Hash: 1e587e96dcbd1a47a6469ff93937d406ee98bb31274f35ebe488b70111c164c1
                                  • Instruction Fuzzy Hash: 6A417131500A44AFEF245F289C84BBA3BA5AB46332F154745FFA28B2E1C7359D46BB10
                                  APIs
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FB1032
                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FB104E
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FB106A
                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FB1094
                                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FB10BC
                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FB10C7
                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FB10CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                  • API String ID: 323675364-22481851
                                  • Opcode ID: 5778dc43a5b98d7f1691baea7016f38d1790749cbbf83459132ff84cc470e97e
                                  • Instruction ID: 94e3782923a5dd35ed833912950330fdec29ca852c58051aaa622bb2ab11332f
                                  • Opcode Fuzzy Hash: 5778dc43a5b98d7f1691baea7016f38d1790749cbbf83459132ff84cc470e97e
                                  • Instruction Fuzzy Hash: 03411672C1022DABCF21EBA4DC959EEB7B8FF14351F444129EA11A7161EB749E08EF50
                                  APIs
                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FE499A
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00FE49A1
                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FE49B4
                                  • SelectObject.GDI32(00000000,00000000), ref: 00FE49BC
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FE49C7
                                  • DeleteDC.GDI32(00000000), ref: 00FE49D1
                                  • GetWindowLongW.USER32(?,000000EC), ref: 00FE49DB
                                  • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FE49F1
                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FE49FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                  • String ID: static
                                  • API String ID: 2559357485-2160076837
                                  • Opcode ID: 58826b305a4f0a19bfb3e5ff70c4f77d53fe10acd3f2deff659a94306575075f
                                  • Instruction ID: 57f53e72c63ecdd1cd8c3e8db764e493e3187e411fbf82b3ef7337315c8fb54f
                                  • Opcode Fuzzy Hash: 58826b305a4f0a19bfb3e5ff70c4f77d53fe10acd3f2deff659a94306575075f
                                  • Instruction Fuzzy Hash: C3318E32500259AFDF119FA5DC48FDA3B69FF09764F100215FA68AA0A0C779E811EB64
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 00FD45B9
                                  • CoInitialize.OLE32(00000000), ref: 00FD45E7
                                  • CoUninitialize.OLE32 ref: 00FD45F1
                                  • _wcslen.LIBCMT ref: 00FD468A
                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00FD470E
                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FD4832
                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FD486B
                                  • CoGetObject.OLE32(?,00000000,00FF0B64,?), ref: 00FD488A
                                  • SetErrorMode.KERNEL32(00000000), ref: 00FD489D
                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FD4921
                                  • VariantClear.OLEAUT32(?), ref: 00FD4935
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                  • String ID:
                                  • API String ID: 429561992-0
                                  • Opcode ID: e6b20aa51eac8b944651a1783cdbe7bdabc00f9d28d12598af1240fe3c5edda6
                                  • Instruction ID: 93169fc433615dd3cb650d0507994657bea6993c6fffdfa73c5cf79217695dba
                                  • Opcode Fuzzy Hash: e6b20aa51eac8b944651a1783cdbe7bdabc00f9d28d12598af1240fe3c5edda6
                                  • Instruction Fuzzy Hash: 60C134716042459F9700DF28C88492BBBEAFF89758F08491EF98ADB251DB31ED05EB52
                                  APIs
                                  • CoInitialize.OLE32(00000000), ref: 00FC844D
                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FC84E9
                                  • SHGetDesktopFolder.SHELL32(?), ref: 00FC84FD
                                  • CoCreateInstance.OLE32(00FF0CD4,00000000,00000001,01017E8C,?), ref: 00FC8549
                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FC85CE
                                  • CoTaskMemFree.OLE32(?,?), ref: 00FC8626
                                  • SHBrowseForFolderW.SHELL32(?), ref: 00FC86B1
                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FC86D4
                                  • CoTaskMemFree.OLE32(00000000), ref: 00FC86DB
                                  • CoTaskMemFree.OLE32(00000000), ref: 00FC8730
                                  • CoUninitialize.OLE32 ref: 00FC8736
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                  • String ID:
                                  • API String ID: 2762341140-0
                                  • Opcode ID: 7c6b6eb5adb58f5b51040075645c435397b9a8a0152344457a1a0674dfe3facc
                                  • Instruction ID: e115ea6cff66c3a587151cbd17cf0f01627372c26a06c830f8136afd50943087
                                  • Opcode Fuzzy Hash: 7c6b6eb5adb58f5b51040075645c435397b9a8a0152344457a1a0674dfe3facc
                                  • Instruction Fuzzy Hash: 4AC13C75A00109AFCB14DFA4C985DAEBBF5FF48354B148098E91AEB261CB30ED46DB50
                                  APIs
                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FE5E63
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE5E74
                                  • CharNextW.USER32(00000158), ref: 00FE5EA3
                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FE5EE4
                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FE5EFA
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE5F0B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$CharNext
                                  • String ID:
                                  • API String ID: 1350042424-0
                                  • Opcode ID: 2befa0f867322d05cf2b50bf80ba089f0491846485bc244f0a4bc835c875bbc2
                                  • Instruction ID: 002da6b8906a0a47d740664b8c6f8f671634a32f2e775fe48fbff26d73417b42
                                  • Opcode Fuzzy Hash: 2befa0f867322d05cf2b50bf80ba089f0491846485bc244f0a4bc835c875bbc2
                                  • Instruction Fuzzy Hash: A061A131905289AFDF219F96CC84EFE7BB8EF05B64F104115FA25AA290C7749A41EB60
                                  APIs
                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FB033F
                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00FB0398
                                  • VariantInit.OLEAUT32(?), ref: 00FB03AA
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB03CA
                                  • VariantCopy.OLEAUT32(?,?), ref: 00FB041D
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FB0431
                                  • VariantClear.OLEAUT32(?), ref: 00FB0446
                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00FB0453
                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB045C
                                  • VariantClear.OLEAUT32(?), ref: 00FB046E
                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB0479
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                  • String ID:
                                  • API String ID: 2706829360-0
                                  • Opcode ID: fa32bf9d92e3b0b7dca7f9fdb9d07015c35d6b55ddd47aec253c92e3231415d5
                                  • Instruction ID: 5265c984d22f83eb995b545867f747d35198b5b3bcfd41cb74a51f13ac36c3e7
                                  • Opcode Fuzzy Hash: fa32bf9d92e3b0b7dca7f9fdb9d07015c35d6b55ddd47aec253c92e3231415d5
                                  • Instruction Fuzzy Hash: 58415F75A0021DDFCB04DF65CC889EEBBB9FF58354F008029E955AB2A1CB34A945DF90
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • GetSystemMetrics.USER32(0000000F), ref: 00FEA926
                                  • GetSystemMetrics.USER32(0000000F), ref: 00FEA946
                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FEAB83
                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FEABA1
                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FEABC2
                                  • ShowWindow.USER32(00000003,00000000), ref: 00FEABE1
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00FEAC06
                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00FEAC29
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                  • String ID:
                                  • API String ID: 1211466189-3916222277
                                  • Opcode ID: 720d8c2dcf3be927e7e25a405f028e9170c2d6abce659567e708179f00fd062f
                                  • Instruction ID: d7dec4bd80c821bc6374becfb5718accee8fc2d2a045f506845fbe6223ecf166
                                  • Opcode Fuzzy Hash: 720d8c2dcf3be927e7e25a405f028e9170c2d6abce659567e708179f00fd062f
                                  • Instruction Fuzzy Hash: 23B1AA31A00259DFDF14CF6AC9857AE7BF2BF84710F188069EC459F299D734A980EB61
                                  APIs
                                  • WSAStartup.WSOCK32(00000101,?), ref: 00FD0F19
                                  • inet_addr.WSOCK32(?), ref: 00FD0F79
                                  • gethostbyname.WSOCK32(?), ref: 00FD0F85
                                  • IcmpCreateFile.IPHLPAPI ref: 00FD0F93
                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD1023
                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD1042
                                  • IcmpCloseHandle.IPHLPAPI(?), ref: 00FD1116
                                  • WSACleanup.WSOCK32 ref: 00FD111C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                  • String ID: Ping
                                  • API String ID: 1028309954-2246546115
                                  • Opcode ID: c40978907c3dd9e4f5d1abcf9b62adc78f3e23a2444918864a2ae1b819078428
                                  • Instruction ID: 776c9a6a97da3e1bb974f1ae48d4ccd5c31139dbd42cfa085aa18db5d95d836d
                                  • Opcode Fuzzy Hash: c40978907c3dd9e4f5d1abcf9b62adc78f3e23a2444918864a2ae1b819078428
                                  • Instruction Fuzzy Hash: 97919131A04241AFD320DF15C889B16BBE5FF44328F1885AAF5698F7A2C735ED85DB81
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$BuffCharLower
                                  • String ID: cdecl$none$stdcall$winapi
                                  • API String ID: 707087890-567219261
                                  • Opcode ID: 8eb62de544e075c195368240f88ae56a771191b9c26b08497c031bccc083ff62
                                  • Instruction ID: 9c49e7dc469e711162b3caaf85f226a9ba2735d04a969049810ac222e1dcaf78
                                  • Opcode Fuzzy Hash: 8eb62de544e075c195368240f88ae56a771191b9c26b08497c031bccc083ff62
                                  • Instruction Fuzzy Hash: 8051E932E081169BCB14DFECC9509BDB3A6BF15324768421AF86AE7384EB75DD40E790
                                  APIs
                                  • CoInitialize.OLE32 ref: 00FD40D1
                                  • CoUninitialize.OLE32 ref: 00FD40DC
                                  • CoCreateInstance.OLE32(?,00000000,00000017,00FF0B44,?), ref: 00FD4136
                                  • IIDFromString.OLE32(?,?), ref: 00FD41A9
                                  • VariantInit.OLEAUT32(?), ref: 00FD4241
                                  • VariantClear.OLEAUT32(?), ref: 00FD4293
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                  • API String ID: 636576611-1287834457
                                  • Opcode ID: 6f4b1ed00d28f92a5ebd73b33ae0bbaf6c4e57ef1dce2b5f4d58a491166cefc6
                                  • Instruction ID: d01a4ceb133da60269210c2862fc224b60a59dfa323d265719b63c8b704770a0
                                  • Opcode Fuzzy Hash: 6f4b1ed00d28f92a5ebd73b33ae0bbaf6c4e57ef1dce2b5f4d58a491166cefc6
                                  • Instruction Fuzzy Hash: 7A61BF716043019FC311DF64C889B6ABBE5AF49715F08080EF9859B391D774FD88EB92
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00FC8BB1
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FC8BC1
                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FC8BCD
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC8C6A
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8C7E
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8CB0
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FC8CE6
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8CEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CurrentDirectoryTime$File$Local$System
                                  • String ID: *.*
                                  • API String ID: 1464919966-438819550
                                  • Opcode ID: 5e6c693c652372e16efaf2fcd0090cea301f83c45309587b552fb1c5c0cbbcbb
                                  • Instruction ID: 4cac2f7a7983d811ee28f6a4141929e1cc6d040c0fdb927b358dcf0225908cac
                                  • Opcode Fuzzy Hash: 5e6c693c652372e16efaf2fcd0090cea301f83c45309587b552fb1c5c0cbbcbb
                                  • Instruction Fuzzy Hash: 2E616CB25043469FC710EF60C945E9EB3E8FF89350F04881EF98997251DB35EA4ADB92
                                  APIs
                                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FC3D29
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FC3D4A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LoadString$_wcslen
                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 4099089115-3080491070
                                  • Opcode ID: dfa8d17ecd4021aa7499c9962a0322d4b79bb14a84911054a4f201f5ebcb5969
                                  • Instruction ID: 680422a940058241ba438cb24584c2f97b6bc7520a33b6e0a60f47f4616fe9d6
                                  • Opcode Fuzzy Hash: dfa8d17ecd4021aa7499c9962a0322d4b79bb14a84911054a4f201f5ebcb5969
                                  • Instruction Fuzzy Hash: 76517F3290010EAACF15EBE0DD42EEEB778AF14301F544069F50576062EB792F5DEB61
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$BuffCharUpper
                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                  • API String ID: 1256254125-769500911
                                  • Opcode ID: eca5b807bf9c14097101894649a7ac465396df8452ab9c26e943cc884e0bc643
                                  • Instruction ID: 596b81a80f575ef4fe6d1959a674177521bfe31a33290624953893ab0577820e
                                  • Opcode Fuzzy Hash: eca5b807bf9c14097101894649a7ac465396df8452ab9c26e943cc884e0bc643
                                  • Instruction Fuzzy Hash: 4D41E532E0112B9ACB105FBECC905FEB7A5BB60764B244129F465C7284E775CD81EF90
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 00FC5CFA
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FC5D70
                                  • GetLastError.KERNEL32 ref: 00FC5D7A
                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00FC5E01
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: 3cd2a9498433eaee98745d178ab1932f0b2a7495fdd8597ff8dcaa743afa966e
                                  • Instruction ID: c95ab2350bb51760eeb797165dcb34cdf9b066bd4d182cecd090ce985ccd4b85
                                  • Opcode Fuzzy Hash: 3cd2a9498433eaee98745d178ab1932f0b2a7495fdd8597ff8dcaa743afa966e
                                  • Instruction Fuzzy Hash: 3A31AF31A042469FCB00EF68C989FAABBB5EB05714F148059E506DF392C735ED86EB91
                                  APIs
                                  • CreateMenu.USER32 ref: 00FE45D8
                                  • SetMenu.USER32(?,00000000), ref: 00FE45E7
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE466F
                                  • IsMenu.USER32(?), ref: 00FE4683
                                  • CreatePopupMenu.USER32 ref: 00FE468D
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FE46BA
                                  • DrawMenuBar.USER32 ref: 00FE46C2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                  • String ID: 0$F
                                  • API String ID: 161812096-3044882817
                                  • Opcode ID: cdd9c1b3515dd76ffce8ae652df9aa154cd2f2c6c13968c371a4679181936292
                                  • Instruction ID: 859cf954d12ba2a8eacc44f6884a605f47676a527d06591c5be7f5dda9efb905
                                  • Opcode Fuzzy Hash: cdd9c1b3515dd76ffce8ae652df9aa154cd2f2c6c13968c371a4679181936292
                                  • Instruction Fuzzy Hash: CE415B75A01349EFDB24DF65D894AAABBB5FF4A314F14002DFA459B350C731A920EF50
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FB27F4
                                  • GetDlgCtrlID.USER32 ref: 00FB27FF
                                  • GetParent.USER32 ref: 00FB281B
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB281E
                                  • GetDlgCtrlID.USER32(?), ref: 00FB2827
                                  • GetParent.USER32(?), ref: 00FB283B
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB283E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 711023334-1403004172
                                  • Opcode ID: ff648ccee163a23ff62a4d93b77ef4445ab40e135e4a2408736b5378e3c61f4b
                                  • Instruction ID: 02e3c8dc7cfc0bca5e4a09a0a73e1517259a7550a3ae44802611112e3210719e
                                  • Opcode Fuzzy Hash: ff648ccee163a23ff62a4d93b77ef4445ab40e135e4a2408736b5378e3c61f4b
                                  • Instruction Fuzzy Hash: 9D21F675D00118BBCF11EFA1DC85EEEBBB8EF05310F100116B9616B2A6CB799808EF60
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FB28D3
                                  • GetDlgCtrlID.USER32 ref: 00FB28DE
                                  • GetParent.USER32 ref: 00FB28FA
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB28FD
                                  • GetDlgCtrlID.USER32(?), ref: 00FB2906
                                  • GetParent.USER32(?), ref: 00FB291A
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB291D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 711023334-1403004172
                                  • Opcode ID: 9ee7abd0e8de313a67a82272b39c451d954e710e8ae9ef54801cf4e0fa1d8783
                                  • Instruction ID: 0c7b8f009006813b7aeab92a61bce339cc1a4f117886e51441aba0284615ca94
                                  • Opcode Fuzzy Hash: 9ee7abd0e8de313a67a82272b39c451d954e710e8ae9ef54801cf4e0fa1d8783
                                  • Instruction Fuzzy Hash: 3321C675D00118BBDF11AFA5DC85EEEBBB8EF05310F004016B991AB196D7799849FF60
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FE43FC
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FE43FF
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE4426
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE4449
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FE44C1
                                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FE450B
                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FE4526
                                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FE4541
                                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FE4555
                                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FE4572
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow
                                  • String ID:
                                  • API String ID: 312131281-0
                                  • Opcode ID: 6cf033d1e83ba345ef7d1baacf8e5c03133cebbdcbd4be822d72fe8dd954860d
                                  • Instruction ID: 44a25030bebf879bd52d3b8335a52a1755bf9507dfd68ff99839998440630e97
                                  • Opcode Fuzzy Hash: 6cf033d1e83ba345ef7d1baacf8e5c03133cebbdcbd4be822d72fe8dd954860d
                                  • Instruction Fuzzy Hash: BD618C75A00248AFDB21DFA8CC81EEE77B8EF09310F14416AFA14A7291C774AA45EF50
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00FBBA2D
                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBA41
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00FBBA48
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBA57
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FBBA69
                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBA82
                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBA94
                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBAD9
                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBAEE
                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FBAABD,?,00000001), ref: 00FBBAF9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: c651032c2ceec8bcea91e12da8543f47030a818d159cb0fdef49eb7706d201a7
                                  • Instruction ID: 40ccba06ab9adf1c475b88319a9af6a794f3d402c4ca953d952bc25ed549f9b1
                                  • Opcode Fuzzy Hash: c651032c2ceec8bcea91e12da8543f47030a818d159cb0fdef49eb7706d201a7
                                  • Instruction Fuzzy Hash: B1314875D00208ABDB309F66EC88FE977ADAB54322F218015FE45DB180D7FD9980AF64
                                  APIs
                                  • _free.LIBCMT ref: 00F83024
                                    • Part of subcall function 00F82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4), ref: 00F82D6E
                                    • Part of subcall function 00F82D58: GetLastError.KERNEL32(01021DC4,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4,01021DC4), ref: 00F82D80
                                  • _free.LIBCMT ref: 00F83030
                                  • _free.LIBCMT ref: 00F8303B
                                  • _free.LIBCMT ref: 00F83046
                                  • _free.LIBCMT ref: 00F83051
                                  • _free.LIBCMT ref: 00F8305C
                                  • _free.LIBCMT ref: 00F83067
                                  • _free.LIBCMT ref: 00F83072
                                  • _free.LIBCMT ref: 00F8307D
                                  • _free.LIBCMT ref: 00F8308B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 9ada8bb0f22cf61171edae622c7836055095ceff8d7445281e472e483f0158cb
                                  • Instruction ID: ed3923c93eaef821157b4790e0a613dd12336291cf2530d65f29889c4241bc7d
                                  • Opcode Fuzzy Hash: 9ada8bb0f22cf61171edae622c7836055095ceff8d7445281e472e483f0158cb
                                  • Instruction Fuzzy Hash: 3111437651014CAFCB81FF54CD42CDD3FA5EF05350B5181A5BA289B232DA75EA91AF80
                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC8907
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC891B
                                  • GetFileAttributesW.KERNEL32(?), ref: 00FC8945
                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00FC895F
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8971
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC89BA
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FC8A0A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$AttributesFile
                                  • String ID: *.*
                                  • API String ID: 769691225-438819550
                                  • Opcode ID: b81e148a1a36f32d731fad3404fff9c1028c00fa8bc7acd22a63c0046873595e
                                  • Instruction ID: 09673d657869447cefc3bfb5421d21a45a7ef75f10907c0d878c95704797354e
                                  • Opcode Fuzzy Hash: b81e148a1a36f32d731fad3404fff9c1028c00fa8bc7acd22a63c0046873595e
                                  • Instruction Fuzzy Hash: 8A81C4729043029BCB20DF14C996FAAB3E8BF847A0F54481EF885D7690DB34D946EB52
                                  APIs
                                  • SetWindowLongW.USER32(?,000000EB), ref: 00F57387
                                    • Part of subcall function 00F57417: GetClientRect.USER32(?,?), ref: 00F5743D
                                    • Part of subcall function 00F57417: GetWindowRect.USER32(?,?), ref: 00F5747E
                                    • Part of subcall function 00F57417: ScreenToClient.USER32(?,?), ref: 00F574A6
                                  • GetDC.USER32 ref: 00F96045
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F96058
                                  • SelectObject.GDI32(00000000,00000000), ref: 00F96066
                                  • SelectObject.GDI32(00000000,00000000), ref: 00F9607B
                                  • ReleaseDC.USER32(?,00000000), ref: 00F96083
                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F96114
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                  • String ID: U
                                  • API String ID: 4009187628-3372436214
                                  • Opcode ID: e5f28d0f0eed8eafb90edfb4513d9c19b0af925715904d9c3435f2ec0397a0ce
                                  • Instruction ID: 5e31196775ce4ac3645158e57b17a932787c0f4d0afe29888df4db1fb24d668b
                                  • Opcode Fuzzy Hash: e5f28d0f0eed8eafb90edfb4513d9c19b0af925715904d9c3435f2ec0397a0ce
                                  • Instruction Fuzzy Hash: AD71E131800205DFDF259F64C8C4AAA7BB1FF48375F24426AEE559A266C7358C85FF50
                                  APIs
                                  • LoadStringW.USER32(00000066,?,00000FFF,00FEDCEC), ref: 00FC3F3E
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • LoadStringW.USER32(?,?,00000FFF,?), ref: 00FC3F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LoadString$_wcslen
                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 4099089115-2391861430
                                  • Opcode ID: e91c41b51f9f4beb30aa849fd337d0d56296ca88df2646bb39df1328ff1be8c7
                                  • Instruction ID: 146051f052a3f07cad7b7b03e01efa131b6ab45c148c15f519db87ca40e77bc3
                                  • Opcode Fuzzy Hash: e91c41b51f9f4beb30aa849fd337d0d56296ca88df2646bb39df1328ff1be8c7
                                  • Instruction Fuzzy Hash: C1519231C4010AABCF15EFE0DC42EEDBB38AF04311F544129FA1576065EB796A99EF51
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                    • Part of subcall function 00F519CD: GetCursorPos.USER32(?), ref: 00F519E1
                                    • Part of subcall function 00F519CD: ScreenToClient.USER32(00000000,?), ref: 00F519FE
                                    • Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000001), ref: 00F51A23
                                    • Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000002), ref: 00F51A3D
                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00FE94CA
                                  • ImageList_EndDrag.COMCTL32 ref: 00FE94D0
                                  • ReleaseCapture.USER32 ref: 00FE94D6
                                  • SetWindowTextW.USER32(?,00000000), ref: 00FE9571
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FE9584
                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00FE965E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                  • API String ID: 1924731296-2107944366
                                  • Opcode ID: 162c37657740c0815fc3a3b1ff51e466197f1f79c1c29e0b2b045726e683ccd7
                                  • Instruction ID: ad80786cabd923e54f15468edc07a19d51fbd0cdd4a3b34686cdab040552280a
                                  • Opcode Fuzzy Hash: 162c37657740c0815fc3a3b1ff51e466197f1f79c1c29e0b2b045726e683ccd7
                                  • Instruction Fuzzy Hash: 1E519E71608344AFD714EF10CC86F6A77E4FB88715F10051DFA965B2E2CB799908DB62
                                  APIs
                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FCCBCF
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FCCBF7
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FCCC27
                                  • GetLastError.KERNEL32 ref: 00FCCC7F
                                  • SetEvent.KERNEL32(?), ref: 00FCCC93
                                  • InternetCloseHandle.WININET(00000000), ref: 00FCCC9E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                  • String ID:
                                  • API String ID: 3113390036-3916222277
                                  • Opcode ID: 14f75de1d2a875fe31f1dae5d5c3f29e1fa0db1c327b6f862759e78a8cc79ffb
                                  • Instruction ID: a6c737f16ef6c220c0f2a2d84d50b929d4c91207009168bf3960e0bab6c9b550
                                  • Opcode Fuzzy Hash: 14f75de1d2a875fe31f1dae5d5c3f29e1fa0db1c327b6f862759e78a8cc79ffb
                                  • Instruction Fuzzy Hash: 69318BB1900249AFD721DF61CE8AFAB7BFCEB49754B10452EF44E96600DB34D904ABA1
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F95437,?,?,Bad directive syntax error,00FEDCD0,00000000,00000010,?,?), ref: 00FBA14B
                                  • LoadStringW.USER32(00000000,?,00F95437,?), ref: 00FBA152
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FBA216
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: HandleLoadMessageModuleString_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                  • API String ID: 858772685-4153970271
                                  • Opcode ID: 9b5ca3f54e5c5d02c18f73335a5b3308ffaa598fd049b1f8257edb4cc6353238
                                  • Instruction ID: e394a7b8dcea6c818b894c67546cb605a4fc1ebbc1d894ba3d99c979afaf0b37
                                  • Opcode Fuzzy Hash: 9b5ca3f54e5c5d02c18f73335a5b3308ffaa598fd049b1f8257edb4cc6353238
                                  • Instruction Fuzzy Hash: 4721603294025EAFCF12AF90CC46EEE7775BF18305F044455FA156A0A2EB799A18EF11
                                  APIs
                                  • GetParent.USER32 ref: 00FB293B
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00FB2950
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FB29DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameParentSend
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 1290815626-3381328864
                                  • Opcode ID: e72a4620fc53e853fce92a8fe175628c78588133e5cae211d0efbe8a2a64e532
                                  • Instruction ID: 26bd1946d6ccfc958803f26b4d78a63067e831102bccd436a1cb35bff4fd0dfa
                                  • Opcode Fuzzy Hash: e72a4620fc53e853fce92a8fe175628c78588133e5cae211d0efbe8a2a64e532
                                  • Instruction Fuzzy Hash: 6F11067764430ABAFA102222DC47DE637DC9F01770F20401BF948E9495EFAA68817955
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                  • String ID:
                                  • API String ID: 1282221369-0
                                  • Opcode ID: a74ca46a7bde9374bb1f762e74da1489255949474b45d68973c668de956f4a03
                                  • Instruction ID: 951a8eb126fbe6050805675eabefae1facc2bd94833f89db31dc6b113fefb606
                                  • Opcode Fuzzy Hash: a74ca46a7bde9374bb1f762e74da1489255949474b45d68973c668de956f4a03
                                  • Instruction Fuzzy Hash: 0961E272E01205EFDF31BF649C81AEA7BA4AF01320F15426DED44A72C5E67AA841A791
                                  APIs
                                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F928F1
                                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F9290A
                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F9291A
                                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F92932
                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F92953
                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F511F5,00000000,00000000,00000000,000000FF,00000000), ref: 00F92962
                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F9297F
                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F511F5,00000000,00000000,00000000,000000FF,00000000), ref: 00F9298E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                  • String ID:
                                  • API String ID: 1268354404-0
                                  • Opcode ID: bcf09cf14ed4870d236d8c7594a02279cc036b518c3b97e4d58a3e43fb35dafc
                                  • Instruction ID: 1dde669573d30b589e789db7c1e3faaf7d683885a2c0946f5db61217af0c8132
                                  • Opcode Fuzzy Hash: bcf09cf14ed4870d236d8c7594a02279cc036b518c3b97e4d58a3e43fb35dafc
                                  • Instruction Fuzzy Hash: F8519930A00209AFEF20CF65CC85BAA3BB5FF48365F104518FA569B2A0D775E994FB50
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FCCADF
                                  • GetLastError.KERNEL32 ref: 00FCCAF2
                                  • SetEvent.KERNEL32(?), ref: 00FCCB06
                                    • Part of subcall function 00FCCBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FCCBCF
                                    • Part of subcall function 00FCCBB0: GetLastError.KERNEL32 ref: 00FCCC7F
                                    • Part of subcall function 00FCCBB0: SetEvent.KERNEL32(?), ref: 00FCCC93
                                    • Part of subcall function 00FCCBB0: InternetCloseHandle.WININET(00000000), ref: 00FCCC9E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                  • String ID:
                                  • API String ID: 337547030-0
                                  • Opcode ID: 7d5dd4d687b09dfcf32b53b49e625fe74b5d4dd658e01f4986af5140820c011b
                                  • Instruction ID: be149886a42eb90fe42f8656d909e316e6ce9dd1f3f324817e84d4509acc2812
                                  • Opcode Fuzzy Hash: 7d5dd4d687b09dfcf32b53b49e625fe74b5d4dd658e01f4986af5140820c011b
                                  • Instruction Fuzzy Hash: FB316E71A0074AAFDB219FA1CE86F66BBF9FF84310B14441DF95A87610D731E814BBA0
                                  APIs
                                    • Part of subcall function 00FB42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB42E6
                                    • Part of subcall function 00FB42CC: GetCurrentThreadId.KERNEL32 ref: 00FB42ED
                                    • Part of subcall function 00FB42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FB2E43), ref: 00FB42F4
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB2E4D
                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FB2E6B
                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FB2E6F
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB2E79
                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FB2E91
                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FB2E95
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB2E9F
                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FB2EB3
                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FB2EB7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                  • String ID:
                                  • API String ID: 2014098862-0
                                  • Opcode ID: 5293634b629beedcb52c987b8b693e37a73de6637bff4a99aeecbf14d2d7c953
                                  • Instruction ID: 44f082812c95ddd45b9024a21aa600c97517e1aa306b77a3ba6371336b7a03d8
                                  • Opcode Fuzzy Hash: 5293634b629beedcb52c987b8b693e37a73de6637bff4a99aeecbf14d2d7c953
                                  • Instruction Fuzzy Hash: 3401D8313802147BFB10676A9CCAF563F59DB4AB11F100001F318AE1E1C9E66444EE69
                                  APIs
                                    • Part of subcall function 00FBDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 00FBDCC1
                                    • Part of subcall function 00FBDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 00FBDCCF
                                    • Part of subcall function 00FBDC9C: CloseHandle.KERNEL32(00000000), ref: 00FBDD9C
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FDAACC
                                  • GetLastError.KERNEL32 ref: 00FDAADF
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FDAB12
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FDABC7
                                  • GetLastError.KERNEL32(00000000), ref: 00FDABD2
                                  • CloseHandle.KERNEL32(00000000), ref: 00FDAC23
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                  • String ID: SeDebugPrivilege
                                  • API String ID: 2533919879-2896544425
                                  • Opcode ID: 8068294a93062e67a6833e951b292c7737c83ac8799075750a0f5a659e9ca9b1
                                  • Instruction ID: 32db5b1e65d029e985e6f344dd6a74194527896ca2b6dcd7553aabb18ca0a80a
                                  • Opcode Fuzzy Hash: 8068294a93062e67a6833e951b292c7737c83ac8799075750a0f5a659e9ca9b1
                                  • Instruction Fuzzy Hash: 7861B1312042419FD310DF14C894F16BBE2AF44318F18848EE4664FBA3C779ED4ADB96
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FE4284
                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FE4299
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FE42B3
                                  • _wcslen.LIBCMT ref: 00FE42F8
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FE4325
                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FE4353
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcslen
                                  • String ID: SysListView32
                                  • API String ID: 2147712094-78025650
                                  • Opcode ID: dcad0f9e9b20930492e6d18d711f24f28f046cdf4ac7a729d02d6b211a7ec603
                                  • Instruction ID: 97f05937b705f5c937a8a88f4585fd09a8f8762ab7b10563a418abfc4585b18b
                                  • Opcode Fuzzy Hash: dcad0f9e9b20930492e6d18d711f24f28f046cdf4ac7a729d02d6b211a7ec603
                                  • Instruction Fuzzy Hash: D741B631D00358ABDB219F65CC49FEA77A9FF48360F10052AFA54E7191D775AD80EB90
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FBC5D9
                                  • IsMenu.USER32(00000000), ref: 00FBC5F9
                                  • CreatePopupMenu.USER32 ref: 00FBC62F
                                  • GetMenuItemCount.USER32(01075728), ref: 00FBC680
                                  • InsertMenuItemW.USER32(01075728,?,00000001,00000030), ref: 00FBC6A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                  • String ID: 0$2
                                  • API String ID: 93392585-3793063076
                                  • Opcode ID: cb47c46e3d2506eef86e9ef02e03e2f8a81d2b856719f93701bdd92ab263e13d
                                  • Instruction ID: e0476ac3107cf382e5bbecbd880885d42be8afe9cd681127966943e8db84d75e
                                  • Opcode Fuzzy Hash: cb47c46e3d2506eef86e9ef02e03e2f8a81d2b856719f93701bdd92ab263e13d
                                  • Instruction Fuzzy Hash: 1251D471A003049BDF10CF6AC884FEFBBF6AF48324F145129E5199B291E7709940EFA1
                                  APIs
                                  • LoadIconW.USER32(00000000,00007F03), ref: 00FBD0D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2457776203-404129466
                                  • Opcode ID: 4be2923d07c63cafac61919fd964ac624e88110d8030b128d94c33f749a09060
                                  • Instruction ID: f019d65fbd3ac731538779636c046ea0e5c322ea96ec3d68c040e76d3c202c44
                                  • Opcode Fuzzy Hash: 4be2923d07c63cafac61919fd964ac624e88110d8030b128d94c33f749a09060
                                  • Instruction Fuzzy Hash: 29115B3274C307BAE7246B169C82DDA33DC9F053B0F60002FF9446A285FB75AD016567
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 642191829-3771769585
                                  • Opcode ID: 20b17d4577e2d95f6e0a35010cc6d19b1f2d8a024962acecf27241cf89f5aacb
                                  • Instruction ID: a9895056df427d7d88bf38ac4c05df8f1c36538bf0b84920ba3b10a60093239f
                                  • Opcode Fuzzy Hash: 20b17d4577e2d95f6e0a35010cc6d19b1f2d8a024962acecf27241cf89f5aacb
                                  • Instruction Fuzzy Hash: F7112931900209AFDB346731DC4AEDE37BCDF40720F110176F5559A091EFB49A81BE51
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$LocalTime
                                  • String ID:
                                  • API String ID: 952045576-0
                                  • Opcode ID: 1b747ffa2e366113440c6222b5ec210244d7568186840be504599d937bc0c45e
                                  • Instruction ID: e1cbd9d6d70422b4c2913f25d6bf96ecc579b00607b1e853d4801c9990e06752
                                  • Opcode Fuzzy Hash: 1b747ffa2e366113440c6222b5ec210244d7568186840be504599d937bc0c45e
                                  • Instruction Fuzzy Hash: 6641A3A6C1051876CB11EBB88C46DCEB7B9AF05310F908463E91CE3172FB38E255D7A6
                                  APIs
                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F939BC,00000004,00000000,00000000), ref: 00F6FC4F
                                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F939BC,00000004,00000000,00000000), ref: 00FAFBB5
                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F939BC,00000004,00000000,00000000), ref: 00FAFC38
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ShowWindow
                                  • String ID:
                                  • API String ID: 1268545403-0
                                  • Opcode ID: d82c762cd00240bd42962cab99776b1740a0710d1cc20d1f610c8182f6a90628
                                  • Instruction ID: dd2d01193347dc4132aef12bf87dea6d55377f74cdc78db30e414501ebfe6056
                                  • Opcode Fuzzy Hash: d82c762cd00240bd42962cab99776b1740a0710d1cc20d1f610c8182f6a90628
                                  • Instruction Fuzzy Hash: F9416E71A086CC9AC7359B29E9D872A3BA1BF86330F14443CF8974A561C7359A88F714
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 00FE367A
                                  • GetDC.USER32(00000000), ref: 00FE3682
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE368D
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00FE3699
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FE36D5
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FE36E6
                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FE63C4,?,?,000000FF,00000000,?,000000FF,?), ref: 00FE3721
                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FE3740
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                  • String ID:
                                  • API String ID: 3864802216-0
                                  • Opcode ID: e4c87093ec3ced3d04333487e7b8f2eb10eacc2ceff383f0e680db319e90e745
                                  • Instruction ID: 1ecb749b6bbe0298ce0183137467eabc9dda570eb7bec1d3eabcf816eb251dee
                                  • Opcode Fuzzy Hash: e4c87093ec3ced3d04333487e7b8f2eb10eacc2ceff383f0e680db319e90e745
                                  • Instruction Fuzzy Hash: E431ACB2205258BFEB218F11CC8AFEB3BADEF49761F054055FE089E291C6759C41DBA4
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: a95626e31878a150480857e56e07c11fa082dfc8e59b082611ae6d8b3dc29eb6
                                  • Instruction ID: 9781f789b11f3d0c546bc7189fc5f4acd0b75792142528212fba2b20fa4d363f
                                  • Opcode Fuzzy Hash: a95626e31878a150480857e56e07c11fa082dfc8e59b082611ae6d8b3dc29eb6
                                  • Instruction Fuzzy Hash: BC21DA71B00A097BD70455179D43FFB73ACBE00BA8B144011FE0A9A642FF2CDE16B9A2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: NULL Pointer assignment$Not an Object type
                                  • API String ID: 0-572801152
                                  • Opcode ID: 598260d73000338b783722a84e4cbc62860931857824c45616ca1e95c6eb3ec0
                                  • Instruction ID: 5f5c7829b68c739fb5825f03d26773638c6403d38bbc299e240e776208c9b01a
                                  • Opcode Fuzzy Hash: 598260d73000338b783722a84e4cbc62860931857824c45616ca1e95c6eb3ec0
                                  • Instruction Fuzzy Hash: 9CD19E71A0071A9FDB10CF68C881EAEB7B6BF48714F18816AE915AB381E770ED45DB50
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F91B9B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F9196E
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F91B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F919F1
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F91B9B,?,00F91B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F91A84
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F91B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F91A9B
                                    • Part of subcall function 00F83BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A99,?,0000015D,?,?,?,?,00F785D0,000000FF,00000000,?,?), ref: 00F83BE2
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F91B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F91B17
                                  • __freea.LIBCMT ref: 00F91B42
                                  • __freea.LIBCMT ref: 00F91B4E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                  • String ID:
                                  • API String ID: 2829977744-0
                                  • Opcode ID: c11d21cf92cff4d758dd4e5b2e3dfe57a1e38117a475090a8ca718bc2a0565c2
                                  • Instruction ID: 3631adeedc5bb93a945c99a03f9f5c48ee2472a9a3b99f6c55f93b989e7345b0
                                  • Opcode Fuzzy Hash: c11d21cf92cff4d758dd4e5b2e3dfe57a1e38117a475090a8ca718bc2a0565c2
                                  • Instruction Fuzzy Hash: 1491A172E00217AEFF218E64CC91AEEBBA5BF49760F144579E805E7181EB39DC40E760
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit
                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                  • API String ID: 2610073882-625585964
                                  • Opcode ID: f1a5c11c35bdf1aa12c681992fee1615fe99ad951860de5670dc0560d0a50e83
                                  • Instruction ID: e8b965a58b851489abcefa3b74477ff673022c12a3367f6f9b2fa2de259fdc5a
                                  • Opcode Fuzzy Hash: f1a5c11c35bdf1aa12c681992fee1615fe99ad951860de5670dc0560d0a50e83
                                  • Instruction Fuzzy Hash: 3191A171E00219ABDF20CFA4CC48FAEBBB9EF45724F14855AF515AB290D770A944DFA0
                                  APIs
                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FC1B30
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1B58
                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00FC1B7C
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1BAC
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1C33
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1C98
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1D04
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                                  • String ID:
                                  • API String ID: 2550207440-0
                                  • Opcode ID: 71ceea3785e42b496adea0e0a15f06ea1bee690924e3c670c441db2f09081448
                                  • Instruction ID: fb7d55905a104e2c3a1c2cd6de8fbf18143ef82d7440eeb24952ffc227386fc4
                                  • Opcode Fuzzy Hash: 71ceea3785e42b496adea0e0a15f06ea1bee690924e3c670c441db2f09081448
                                  • Instruction Fuzzy Hash: FA91007290020A9FDB10CF94C986FFE77B4FF46721F104019E901AB292D778A955EF90
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$BeginCreatePath
                                  • String ID:
                                  • API String ID: 3225163088-0
                                  • Opcode ID: 0fe33520c5f7f3d5de8d4e2b04fd6eb01759764dd8548545fdce6ea99385867c
                                  • Instruction ID: 9b5125abfd15a97f6051c1b0e465a82ba57d56bf1281e17fec9333bc7ce15cf7
                                  • Opcode Fuzzy Hash: 0fe33520c5f7f3d5de8d4e2b04fd6eb01759764dd8548545fdce6ea99385867c
                                  • Instruction Fuzzy Hash: 2F915971D00219AFCF10CFA9CC85AEEBBB8FF49321F144159EA11B7251D778AA45DB60
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 00FD42C8
                                  • CharUpperBuffW.USER32(?,?), ref: 00FD43D7
                                  • _wcslen.LIBCMT ref: 00FD43E7
                                  • VariantClear.OLEAUT32(?), ref: 00FD457C
                                    • Part of subcall function 00FC15B3: VariantInit.OLEAUT32(00000000), ref: 00FC15F3
                                    • Part of subcall function 00FC15B3: VariantCopy.OLEAUT32(?,?), ref: 00FC15FC
                                    • Part of subcall function 00FC15B3: VariantClear.OLEAUT32(?), ref: 00FC1608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                  • API String ID: 4137639002-1221869570
                                  • Opcode ID: 7a59105a12ad85578654e1abca52f4018cb705a1c0098695085187d23921fe14
                                  • Instruction ID: 909528a015c24844d92a4913e02d5e4bdeea6b6f8394f2d3c21bbd96b5fdf981
                                  • Opcode Fuzzy Hash: 7a59105a12ad85578654e1abca52f4018cb705a1c0098695085187d23921fe14
                                  • Instruction Fuzzy Hash: EA917C75A043459FC700DF28C88196AB7E5FF89314F18892EF8899B351DB35ED46EB42
                                  APIs
                                    • Part of subcall function 00FB089E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?,?,00FB0BEE), ref: 00FB08BB
                                    • Part of subcall function 00FB089E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?), ref: 00FB08D6
                                    • Part of subcall function 00FB089E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?), ref: 00FB08E4
                                    • Part of subcall function 00FB089E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?), ref: 00FB08F4
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FD55AE
                                  • _wcslen.LIBCMT ref: 00FD56B6
                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FD572C
                                  • CoTaskMemFree.OLE32(?), ref: 00FD5737
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 614568839-2785691316
                                  • Opcode ID: db7678260af138926c9450b99d77dcc56496585353931e5c902a61972c22d5c5
                                  • Instruction ID: 1dc7581d15a6f3d6f284c622405627a0871550afcaf84b8ffb995e923126a38e
                                  • Opcode Fuzzy Hash: db7678260af138926c9450b99d77dcc56496585353931e5c902a61972c22d5c5
                                  • Instruction Fuzzy Hash: 17913671D0021DAFDF10DFA4DC80AEEBBB9BF08714F14816AE915AB291DB749A44DF60
                                  APIs
                                  • GetMenu.USER32(?), ref: 00FE2AE2
                                  • GetMenuItemCount.USER32(00000000), ref: 00FE2B14
                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FE2B3C
                                  • _wcslen.LIBCMT ref: 00FE2B72
                                  • GetMenuItemID.USER32(?,?), ref: 00FE2BAC
                                  • GetSubMenu.USER32(?,?), ref: 00FE2BBA
                                    • Part of subcall function 00FB42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB42E6
                                    • Part of subcall function 00FB42CC: GetCurrentThreadId.KERNEL32 ref: 00FB42ED
                                    • Part of subcall function 00FB42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FB2E43), ref: 00FB42F4
                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FE2C42
                                    • Part of subcall function 00FBF1A7: Sleep.KERNEL32 ref: 00FBF21F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                  • String ID:
                                  • API String ID: 4196846111-0
                                  • Opcode ID: c70b94992b7a065a7d6c7c5723854851bc9414ab4e50ae23ecaa193bd5fa38bf
                                  • Instruction ID: 83720490e317786214ee99830d1258975a0bd029c81c517642891508e3c0d919
                                  • Opcode Fuzzy Hash: c70b94992b7a065a7d6c7c5723854851bc9414ab4e50ae23ecaa193bd5fa38bf
                                  • Instruction Fuzzy Hash: DE71A435E00245AFCB50DF69C845AAE77F5EF48320F148469E816EB351DB74EE41AB90
                                  APIs
                                  • IsWindow.USER32(00000000), ref: 00FE8896
                                  • IsWindowEnabled.USER32(00000000), ref: 00FE88A2
                                  • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FE897D
                                  • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00FE89B0
                                  • IsDlgButtonChecked.USER32(?,00000000), ref: 00FE89E8
                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 00FE8A0A
                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FE8A22
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                  • String ID:
                                  • API String ID: 4072528602-0
                                  • Opcode ID: d19aacc220b0c5ebd6bbd584361d836749359c9cfd5c2535662e077c5cb8fbe6
                                  • Instruction ID: 095d55994878d88d5e8249a354022b12ed34304ff6c712cda130bf8c5e02d9a8
                                  • Opcode Fuzzy Hash: d19aacc220b0c5ebd6bbd584361d836749359c9cfd5c2535662e077c5cb8fbe6
                                  • Instruction Fuzzy Hash: 4771D434E04285AFDF35AF52C884FBE7BB5EF097A0F140459E84957252CB35AE42EB11
                                  APIs
                                  • GetParent.USER32(?), ref: 00FBB7D5
                                  • GetKeyboardState.USER32(?), ref: 00FBB7EA
                                  • SetKeyboardState.USER32(?), ref: 00FBB84B
                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00FBB879
                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00FBB898
                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00FBB8D9
                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FBB8FC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: f72b95fe9ab2d86f57119d10f7dd9683f3738269b00f8e63d74beb39da3ed11b
                                  • Instruction ID: 61505b26b3cf8f0587a214969e835fd60b2680ba9a89bae1c95c36910e23b25a
                                  • Opcode Fuzzy Hash: f72b95fe9ab2d86f57119d10f7dd9683f3738269b00f8e63d74beb39da3ed11b
                                  • Instruction Fuzzy Hash: A751B3A0A047D53DFB3646368C49BFABF995F06314F088489E1D9498D2C7D8EC89FB50
                                  APIs
                                  • GetParent.USER32(00000000), ref: 00FBB5F5
                                  • GetKeyboardState.USER32(?), ref: 00FBB60A
                                  • SetKeyboardState.USER32(?), ref: 00FBB66B
                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FBB697
                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FBB6B4
                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FBB6F3
                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FBB714
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 6a62a74baa2833faf3302275abd2fe9982a6321cf27a3a7186ec903bf78853d0
                                  • Instruction ID: 1bbc778cb6ead9df7124806d6b193c6dab16d0d85c3a1ca3a4a7dcdd37a76a03
                                  • Opcode Fuzzy Hash: 6a62a74baa2833faf3302275abd2fe9982a6321cf27a3a7186ec903bf78853d0
                                  • Instruction Fuzzy Hash: 6351D3A09047D53DFB3287268C45BFABFA99B45310F0C8489E1D54A8C2D7D4EC88FB61
                                  APIs
                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00F85F33,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00F85800
                                  • __fassign.LIBCMT ref: 00F8587B
                                  • __fassign.LIBCMT ref: 00F85896
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00F858BC
                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,00F85F33,00000000,?,?,?,?,?,?,?,?,?,00F85F33,?), ref: 00F858DB
                                  • WriteFile.KERNEL32(?,?,00000001,00F85F33,00000000,?,?,?,?,?,?,?,?,?,00F85F33,?), ref: 00F85914
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: d8be61af653778c276e709c145d782b59abd2f0f60e32e556cf2e200b50a2353
                                  • Instruction ID: cdfff38d10bae03ad15a4a20825cdd6c1e14f576e0c66f543fd6dafdada814e8
                                  • Opcode Fuzzy Hash: d8be61af653778c276e709c145d782b59abd2f0f60e32e556cf2e200b50a2353
                                  • Instruction Fuzzy Hash: 0351E171E00249EFDB20DFA8DC85AEEBBF8EF08710F14405AE955E7291E7319A50DB60
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00F730DB
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00F730E3
                                  • _ValidateLocalCookies.LIBCMT ref: 00F73171
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00F7319C
                                  • _ValidateLocalCookies.LIBCMT ref: 00F731F1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: c867e4a459208a9e52578c3afd4f5c2ad65c7f0e5747cac86c8640eb81eeb43e
                                  • Instruction ID: 1b47b0051d5894e6f07817cc7b67a0efb40d5d259d2105d4a8cbb085a579c51b
                                  • Opcode Fuzzy Hash: c867e4a459208a9e52578c3afd4f5c2ad65c7f0e5747cac86c8640eb81eeb43e
                                  • Instruction Fuzzy Hash: B241AF31E00218BBCF10DF68CC45A9EBBB5AF44324F54C156E8186B252D776EB15FB92
                                  APIs
                                    • Part of subcall function 00FD39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FD39D7
                                    • Part of subcall function 00FD39AB: _wcslen.LIBCMT ref: 00FD39F8
                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FD1A6F
                                  • WSAGetLastError.WSOCK32 ref: 00FD1A7E
                                  • WSAGetLastError.WSOCK32 ref: 00FD1B26
                                  • closesocket.WSOCK32(00000000), ref: 00FD1B56
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                  • String ID:
                                  • API String ID: 2675159561-0
                                  • Opcode ID: ce5d45c0fd51c9074db03685de34425f2264dc12fdb53573223d88990f16c9eb
                                  • Instruction ID: 0eed870d5f7eb575754207aeb99507ff64e6a2b61173c10cba5ae99664596c98
                                  • Opcode Fuzzy Hash: ce5d45c0fd51c9074db03685de34425f2264dc12fdb53573223d88990f16c9eb
                                  • Instruction Fuzzy Hash: 3041C331600108AFDB109F54C884BA9B7AAFF85364F18805AFD159F391D778ED45DBE1
                                  APIs
                                    • Part of subcall function 00FBE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FBD6E2,?), ref: 00FBE629
                                    • Part of subcall function 00FBE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FBD6E2,?), ref: 00FBE642
                                  • lstrcmpiW.KERNEL32(?,?), ref: 00FBD705
                                  • MoveFileW.KERNEL32(?,?), ref: 00FBD73F
                                  • _wcslen.LIBCMT ref: 00FBD7C5
                                  • _wcslen.LIBCMT ref: 00FBD7DB
                                  • SHFileOperationW.SHELL32(?), ref: 00FBD821
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 3164238972-1173974218
                                  • Opcode ID: b471c52a3ee83c0ca87c63e016688809139906d7f1a7f8e40f4e948322510a12
                                  • Instruction ID: b9bbc37fbe6917cc1e6578c5752b61f76ca65bc1ba5779737155c01a0cf1f605
                                  • Opcode Fuzzy Hash: b471c52a3ee83c0ca87c63e016688809139906d7f1a7f8e40f4e948322510a12
                                  • Instruction Fuzzy Hash: 8C413F71D452199EDF12EBA5CD81ADE77B8AF08380F1040A6A509EB142FE38A788DF51
                                  APIs
                                  • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00FE377B
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE37AE
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE37E3
                                  • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00FE3815
                                  • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00FE383F
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE3850
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE386A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LongWindow$MessageSend
                                  • String ID:
                                  • API String ID: 2178440468-0
                                  • Opcode ID: 9862740e3302de24f5b2a4b34c753ef3468b1a3af81b521f197ed8fbfa3b74f7
                                  • Instruction ID: 0d8ad28e025e4a1ad00d93799256f83c31a3b987c0b724932439c002a6b5631c
                                  • Opcode Fuzzy Hash: 9862740e3302de24f5b2a4b34c753ef3468b1a3af81b521f197ed8fbfa3b74f7
                                  • Instruction Fuzzy Hash: 683114B1A08294AFDB21CF49DC8DF6537E1FB8A760F2501A4F9508F2A1CB71A940AB41
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB80D1
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB80F7
                                  • SysAllocString.OLEAUT32(00000000), ref: 00FB80FA
                                  • SysAllocString.OLEAUT32 ref: 00FB811B
                                  • SysFreeString.OLEAUT32 ref: 00FB8124
                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00FB813E
                                  • SysAllocString.OLEAUT32(?), ref: 00FB814C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                  • String ID:
                                  • API String ID: 3761583154-0
                                  • Opcode ID: b6faebe12d302ebb9395f7d96a87c1c0b6b110884822dace839e621f88b736cd
                                  • Instruction ID: b38f3db7bd63c1c4a87b4f1437675eecf9672901237bec46bda408b8fe6bb914
                                  • Opcode Fuzzy Hash: b6faebe12d302ebb9395f7d96a87c1c0b6b110884822dace839e621f88b736cd
                                  • Instruction Fuzzy Hash: 4C217776601108AF9B10EFADDC89DEA77ECEF493A07008125F915DB2A0DA74DC46DB64
                                  APIs
                                  • GetStdHandle.KERNEL32(0000000C), ref: 00FC0DAE
                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC0DEA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateHandlePipe
                                  • String ID: nul
                                  • API String ID: 1424370930-2873401336
                                  • Opcode ID: 44d260a76095b9468f0992568633abb0fbdb84873e9ded5b32443e69d88b3822
                                  • Instruction ID: 246256162a899799892a663e57f0e5d36690e3b3b80d8041a74bb00a4c1d126d
                                  • Opcode Fuzzy Hash: 44d260a76095b9468f0992568633abb0fbdb84873e9ded5b32443e69d88b3822
                                  • Instruction Fuzzy Hash: 59216071940306EFDB209F65DD46F9ABBA4AF45720F204E1DF9A1D72D0DB709841EB50
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 00FC0E82
                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC0EBD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateHandlePipe
                                  • String ID: nul
                                  • API String ID: 1424370930-2873401336
                                  • Opcode ID: f047716ea691063b2ff6ff31191b9fe165059764ce77032b61c0735c23cfd689
                                  • Instruction ID: 9749c832c2ba5cf17ec366d9cb010f8189b7adf4813790824e8075a8bf58a0ed
                                  • Opcode Fuzzy Hash: f047716ea691063b2ff6ff31191b9fe165059764ce77032b61c0735c23cfd689
                                  • Instruction Fuzzy Hash: D9213071900307EBDB209F699D45F9A77A4EF55734F200A1DE9B1D72D0DB709882EB50
                                  APIs
                                    • Part of subcall function 00F5771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F57759
                                    • Part of subcall function 00F5771B: GetStockObject.GDI32(00000011), ref: 00F5776D
                                    • Part of subcall function 00F5771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F57777
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FE4A71
                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FE4A7E
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FE4A89
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FE4A98
                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FE4AA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$CreateObjectStockWindow
                                  • String ID: Msctls_Progress32
                                  • API String ID: 1025951953-3636473452
                                  • Opcode ID: 97321f5b31c882259c3238895c71fde1e9d1bca3c25875ed969c652bb5a45188
                                  • Instruction ID: cf875714b0db70be5810d3474673e6a926aace06c0a2104bcb758377b0655a70
                                  • Opcode Fuzzy Hash: 97321f5b31c882259c3238895c71fde1e9d1bca3c25875ed969c652bb5a45188
                                  • Instruction Fuzzy Hash: 1411B6B214021DBEEF119F65CC85EE77F9DEF08768F004111FB18A6050C6769C219BA4
                                  APIs
                                    • Part of subcall function 00F8DB43: _free.LIBCMT ref: 00F8DB6C
                                  • _free.LIBCMT ref: 00F8DBCD
                                    • Part of subcall function 00F82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4), ref: 00F82D6E
                                    • Part of subcall function 00F82D58: GetLastError.KERNEL32(01021DC4,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4,01021DC4), ref: 00F82D80
                                  • _free.LIBCMT ref: 00F8DBD8
                                  • _free.LIBCMT ref: 00F8DBE3
                                  • _free.LIBCMT ref: 00F8DC37
                                  • _free.LIBCMT ref: 00F8DC42
                                  • _free.LIBCMT ref: 00F8DC4D
                                  • _free.LIBCMT ref: 00F8DC58
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                  • Instruction ID: 565b6ed80955a2e55fc7a1d985b589f8b4e8e278999828c4e60a3dff1ee3a3a5
                                  • Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                  • Instruction Fuzzy Hash: 61119372580B44BADA20FBB0CC07FCFBBDD5F80700F454815B6A9A61A2DB7CB645A790
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FBE23D
                                  • LoadStringW.USER32(00000000), ref: 00FBE244
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FBE25A
                                  • LoadStringW.USER32(00000000), ref: 00FBE261
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FBE2A5
                                  Strings
                                  • %s (%d) : ==> %s: %s %s, xrefs: 00FBE282
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message
                                  • String ID: %s (%d) : ==> %s: %s %s
                                  • API String ID: 4072794657-3128320259
                                  • Opcode ID: b467bfef1c2e12864164da1a477b895f2accde6c8e7bac6d7be8d247b7efa651
                                  • Instruction ID: 333f8209d6ed04c3ff8225e89a8ef678d0f66fe035901767f64382d769f9813c
                                  • Opcode Fuzzy Hash: b467bfef1c2e12864164da1a477b895f2accde6c8e7bac6d7be8d247b7efa651
                                  • Instruction Fuzzy Hash: A3011DF690024CBFE711ABA5DDC9EE6776CDB08300F0045A5B746EA441EA749E84AF71
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,?), ref: 00FC1237
                                  • EnterCriticalSection.KERNEL32(00000000,?), ref: 00FC1249
                                  • TerminateThread.KERNEL32(00000000,000001F6), ref: 00FC1257
                                  • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FC1265
                                  • CloseHandle.KERNEL32(00000000), ref: 00FC1274
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC1284
                                  • LeaveCriticalSection.KERNEL32(00000000), ref: 00FC128B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: 2867b506cd3bc303961a4160fdcbd9006d3683a4af2faaa3c1ab93622c3ccf0a
                                  • Instruction ID: 63fd00aeb89f34636992e1ff15ee9bb467336183ec9cd626140def47a5be1f27
                                  • Opcode Fuzzy Hash: 2867b506cd3bc303961a4160fdcbd9006d3683a4af2faaa3c1ab93622c3ccf0a
                                  • Instruction Fuzzy Hash: 01F01932442A56AFD7511B64EF89BD67B39BF02312F402025F20299CA0C7759475EF90
                                  APIs
                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FD271D
                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FD273E
                                  • WSAGetLastError.WSOCK32 ref: 00FD274F
                                  • htons.WSOCK32(?,?,?,?,?), ref: 00FD2838
                                  • inet_ntoa.WSOCK32(?), ref: 00FD27E9
                                    • Part of subcall function 00FB4277: _strlen.LIBCMT ref: 00FB4281
                                    • Part of subcall function 00FD3B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FCF569), ref: 00FD3B9D
                                  • _strlen.LIBCMT ref: 00FD2892
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                  • String ID:
                                  • API String ID: 3203458085-0
                                  • Opcode ID: a0e677f27b23718e635e29cdacb7be483519b3027e134d437574feac9ea67616
                                  • Instruction ID: 751d9a5c7fb61e9ce1b81b0267ef7762653ef36566435f65b21d64e201508c8e
                                  • Opcode Fuzzy Hash: a0e677f27b23718e635e29cdacb7be483519b3027e134d437574feac9ea67616
                                  • Instruction Fuzzy Hash: FCB1F231604300AFD320DF24C895E2A7BA6AF94328F58854DF5964B3A2DB35ED46EB91
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 00F5743D
                                  • GetWindowRect.USER32(?,?), ref: 00F5747E
                                  • ScreenToClient.USER32(?,?), ref: 00F574A6
                                  • GetClientRect.USER32(?,?), ref: 00F575E4
                                  • GetWindowRect.USER32(?,?), ref: 00F57605
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Rect$Client$Window$Screen
                                  • String ID:
                                  • API String ID: 1296646539-0
                                  • Opcode ID: ab6ec3e4a7c4a45b5d27ee7cf274d3d5e4a5f5d34fb0ac5343092888bf604727
                                  • Instruction ID: 3f52537b51be049fa1589383e47747d1927536257e1f2b45e60677154359234c
                                  • Opcode Fuzzy Hash: ab6ec3e4a7c4a45b5d27ee7cf274d3d5e4a5f5d34fb0ac5343092888bf604727
                                  • Instruction Fuzzy Hash: A7B17635A0074ADBDF10DFA9C4807EAB7F1FF48311F14841AE8AAD7250EB30A994EB50
                                  APIs
                                  • __allrem.LIBCMT ref: 00F8044A
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80466
                                  • __allrem.LIBCMT ref: 00F8047D
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F8049B
                                  • __allrem.LIBCMT ref: 00F804B2
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F804D0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                  • Instruction ID: b8b86940ab3b88d1fe5755133b1dd1a465ad8bfb1ad40f6cd4432b08b2327c60
                                  • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                  • Instruction Fuzzy Hash: 4381F872A40706ABE764FE68CC81BEA73A8AF40334F64412EF515D6291EF74D908AB50
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F78669,00F78669,?,?,?,00F867DF,00000001,00000001,8BE85006), ref: 00F865E8
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F867DF,00000001,00000001,8BE85006,?,?,?), ref: 00F8666E
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F86768
                                  • __freea.LIBCMT ref: 00F86775
                                    • Part of subcall function 00F83BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A99,?,0000015D,?,?,?,?,00F785D0,000000FF,00000000,?,?), ref: 00F83BE2
                                  • __freea.LIBCMT ref: 00F8677E
                                  • __freea.LIBCMT ref: 00F867A3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: fab121e39da53ebb8f1d7b24479322d3ce53874c581a2bca57d149078335785d
                                  • Instruction ID: 954fb74fee4e5f1863c513f0e15b1c4b5afed84315dde2dcc7769c6af983e58a
                                  • Opcode Fuzzy Hash: fab121e39da53ebb8f1d7b24479322d3ce53874c581a2bca57d149078335785d
                                  • Instruction Fuzzy Hash: 6951C572A00216AFEB25AF64CC81EFF77AAEB44764B154629FD04DA150EF38DC40E790
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FDD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC00D,?,?), ref: 00FDD314
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD350
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD3C7
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD3FD
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC629
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FDC684
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00FDC6C9
                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FDC6F8
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FDC752
                                  • RegCloseKey.ADVAPI32(?), ref: 00FDC75E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                  • String ID:
                                  • API String ID: 1120388591-0
                                  • Opcode ID: 736f68c6c6dc0b94ff808630258ac5c6af3ecb3822e22c9f960e5be83c9e7765
                                  • Instruction ID: dc38bbdbf906daf0c4483ed082d54e323a487ebbb8381f98ed172154ab6844da
                                  • Opcode Fuzzy Hash: 736f68c6c6dc0b94ff808630258ac5c6af3ecb3822e22c9f960e5be83c9e7765
                                  • Instruction Fuzzy Hash: D081B231108245AFD714DF24C884E2ABBF6FF84318F18855DF5998B2A2DB35ED05EB91
                                  APIs
                                  • VariantInit.OLEAUT32(00000035), ref: 00FB0049
                                  • SysAllocString.OLEAUT32(00000000), ref: 00FB00F0
                                  • VariantCopy.OLEAUT32(00FB02F4,00000000), ref: 00FB0119
                                  • VariantClear.OLEAUT32(00FB02F4), ref: 00FB013D
                                  • VariantCopy.OLEAUT32(00FB02F4,00000000), ref: 00FB0141
                                  • VariantClear.OLEAUT32(?), ref: 00FB014B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$ClearCopy$AllocInitString
                                  • String ID:
                                  • API String ID: 3859894641-0
                                  • Opcode ID: 82a43e2d9c89f75ee7ff5282aff23fbfa4720c496f72201dbc99f272dd544605
                                  • Instruction ID: 9fd0b85384a74a1601c85b7213455ef89624e2060a2ccac9ecfdddb5fed76f1a
                                  • Opcode Fuzzy Hash: 82a43e2d9c89f75ee7ff5282aff23fbfa4720c496f72201dbc99f272dd544605
                                  • Instruction Fuzzy Hash: D351F836640300EECF24AB659C85BAA73A4EF55310F149087F906DF296EF749C44EF92
                                  APIs
                                    • Part of subcall function 00F54154: _wcslen.LIBCMT ref: 00F54159
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00FC9E3F
                                  • _wcslen.LIBCMT ref: 00FC9E60
                                  • _wcslen.LIBCMT ref: 00FC9E87
                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00FC9EDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$FileName$OpenSave
                                  • String ID: X
                                  • API String ID: 83654149-3081909835
                                  • Opcode ID: 0f25e39cd1b9a19dbf5a55e64b81454bc44b6ad7464dfdbde7058294a99ee612
                                  • Instruction ID: e67668be25546d2c587630e48530173af8ce96abd4c893f23dffff53aaa44286
                                  • Opcode Fuzzy Hash: 0f25e39cd1b9a19dbf5a55e64b81454bc44b6ad7464dfdbde7058294a99ee612
                                  • Instruction Fuzzy Hash: 62E1C1319083418FD724DF24C986F6AB7E0BF84314F04856DF99A9B2A2DB74ED05DB92
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • BeginPaint.USER32(?,?,?), ref: 00F51AE1
                                  • GetWindowRect.USER32(?,?), ref: 00F51B45
                                  • ScreenToClient.USER32(?,?), ref: 00F51B62
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F51B73
                                  • EndPaint.USER32(?,?,?,?,?), ref: 00F51BC1
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F9324B
                                    • Part of subcall function 00F51BD9: BeginPath.GDI32(00000000), ref: 00F51BF7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                  • String ID:
                                  • API String ID: 3050599898-0
                                  • Opcode ID: f48aade4fa798527b8f7fdcbbc1431cef2eb19ff349353d38484c0740aeee903
                                  • Instruction ID: be6fa99c12e02d42572dea9b46fac180621a0f3ec0e17d306ce78ae86d7baa0f
                                  • Opcode Fuzzy Hash: f48aade4fa798527b8f7fdcbbc1431cef2eb19ff349353d38484c0740aeee903
                                  • Instruction Fuzzy Hash: DF41D371605304AFDB20DF64DCC4FB67BB8FB85321F100269FAA58B1A1C735A949EB61
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00FC10C8
                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FC1103
                                  • EnterCriticalSection.KERNEL32(?), ref: 00FC111F
                                  • LeaveCriticalSection.KERNEL32(?), ref: 00FC1198
                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FC11AF
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC11DD
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                  • String ID:
                                  • API String ID: 3368777196-0
                                  • Opcode ID: 7a4165d8a3b52b1d769591afc0dee8dc7935468215c6ab933d4255e0abbfeb4b
                                  • Instruction ID: 4b24c268c2016500cd28470009ff695871bd74da4f22200f5ce8ae4838ccb484
                                  • Opcode Fuzzy Hash: 7a4165d8a3b52b1d769591afc0dee8dc7935468215c6ab933d4255e0abbfeb4b
                                  • Instruction Fuzzy Hash: 5941AD71900205EBDF149F54CDC5A6A7778FF04310F1480AAEE049E246DB78DE61EBA0
                                  APIs
                                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FAFB8F,00000000,?,?,00000000,?,00F939BC,00000004,00000000,00000000), ref: 00FE8BAB
                                  • EnableWindow.USER32(?,00000000), ref: 00FE8BD1
                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FE8C30
                                  • ShowWindow.USER32(?,00000004), ref: 00FE8C44
                                  • EnableWindow.USER32(?,00000001), ref: 00FE8C6A
                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FE8C8E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: a1758734c59f13562bb77c35cea194ca8f7170bee196219e8485ae91ed24dfe9
                                  • Instruction ID: cb03040afe6f459317191e20111e6333b4ad748b14e0eba95aa02295c0fd7346
                                  • Opcode Fuzzy Hash: a1758734c59f13562bb77c35cea194ca8f7170bee196219e8485ae91ed24dfe9
                                  • Instruction Fuzzy Hash: 6E41AB74A021C4EFDB35DF25C889FA57BE0FB46394F2441A5E54D4F2A2CB36A842DB50
                                  APIs
                                  • GetForegroundWindow.USER32(?,?,00000000), ref: 00FD2C45
                                    • Part of subcall function 00FCEE49: GetWindowRect.USER32(?,?), ref: 00FCEE61
                                  • GetDesktopWindow.USER32 ref: 00FD2C6F
                                  • GetWindowRect.USER32(00000000), ref: 00FD2C76
                                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FD2CB2
                                  • GetCursorPos.USER32(?), ref: 00FD2CDE
                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FD2D3C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                  • String ID:
                                  • API String ID: 2387181109-0
                                  • Opcode ID: 3759ddf3a0a1d627ce34cff1d074acd6f00495ff2b54ea2fba29fab81901761f
                                  • Instruction ID: 0c542cd5d65eb95909ce6a2549d8caf0108ecd2ac22dff9e8964e29be575328e
                                  • Opcode Fuzzy Hash: 3759ddf3a0a1d627ce34cff1d074acd6f00495ff2b54ea2fba29fab81901761f
                                  • Instruction Fuzzy Hash: B031EF72504315ABD720DF18CC45B9EB7AAFF84364F04091AF8959B280CB30EA089BD2
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00FB5524
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FB5541
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FB5579
                                  • _wcslen.LIBCMT ref: 00FB5597
                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FB559F
                                  • _wcsstr.LIBVCRUNTIME ref: 00FB55A9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                  • String ID:
                                  • API String ID: 72514467-0
                                  • Opcode ID: f2b48e0b7e2379fdee92865a41eb695340d5112f9ef5e81ed0d8c6610701bbe8
                                  • Instruction ID: e9d5d28564aae5e1c5a07c29117f7cb3db507caf5269ffb66eb19f1a2af467a0
                                  • Opcode Fuzzy Hash: f2b48e0b7e2379fdee92865a41eb695340d5112f9ef5e81ed0d8c6610701bbe8
                                  • Instruction Fuzzy Hash: C7212C726046447BEB255B25DC49FBB7B99DF45B24F14803AF809CD091EF78DC40BA51
                                  APIs
                                    • Part of subcall function 00F5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F55558,?,?,00F94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F5559E
                                  • _wcslen.LIBCMT ref: 00FC61D5
                                  • CoInitialize.OLE32(00000000), ref: 00FC62EF
                                  • CoCreateInstance.OLE32(00FF0CC4,00000000,00000001,00FF0B34,?), ref: 00FC6308
                                  • CoUninitialize.OLE32 ref: 00FC6326
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 3172280962-24824748
                                  • Opcode ID: 8802aa8cba9c461ff5e0a513215e336f7d85cdc7f1d026b1bd1102d77e2d945b
                                  • Instruction ID: 34e9b2222c82e24b61f91a18566dfbd22c58bd8410873554eb1ddb5fdad9ebaf
                                  • Opcode Fuzzy Hash: 8802aa8cba9c461ff5e0a513215e336f7d85cdc7f1d026b1bd1102d77e2d945b
                                  • Instruction Fuzzy Hash: 49D13271A082029FCB14DF24C981E6ABBF5AF89314F14885DF985DB361CB35EC49DB92
                                  APIs
                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FB1D8F
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00FB1D96
                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FB1DA5
                                  • CloseHandle.KERNEL32(00000004), ref: 00FB1DB0
                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FB1DDF
                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FB1DF3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                  • String ID:
                                  • API String ID: 1413079979-0
                                  • Opcode ID: a12c76c614cd7f73c8f5dbe28cc7fb1ed7e2541c5bd634d9d48eac088731b65d
                                  • Instruction ID: d56fe3efd78f2280cecd145f9f96af60144202513f6ee2c6d359a98017ad9fa3
                                  • Opcode Fuzzy Hash: a12c76c614cd7f73c8f5dbe28cc7fb1ed7e2541c5bd634d9d48eac088731b65d
                                  • Instruction Fuzzy Hash: E3111472A0024EABDF118FA4DD89BDE7BA9FB48354F044028FA15A6060D2758E65EB60
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00F73709,00F73375), ref: 00F73720
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F7372E
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F73747
                                  • SetLastError.KERNEL32(00000000,?,00F73709,00F73375), ref: 00F73799
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 6d2a4cbc753e035f5bac581144b73de3ad779ba420e317606bf9a4789432d1b0
                                  • Instruction ID: 8541e02b6f0fcf3c60e041f83ef0d6a13001f1172d9cd056882a0dfffd0c5310
                                  • Opcode Fuzzy Hash: 6d2a4cbc753e035f5bac581144b73de3ad779ba420e317606bf9a4789432d1b0
                                  • Instruction Fuzzy Hash: 6B01B1F7A0E3227EA63966B46CCE6663A95DB057B5320822BF158450E4EE2E4D037342
                                  APIs
                                  • GetLastError.KERNEL32(?,00000000,00F74D73,00000000,?,?,00F76902,?,?,00000000), ref: 00F83108
                                  • _free.LIBCMT ref: 00F8313B
                                  • _free.LIBCMT ref: 00F83163
                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 00F83170
                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 00F8317C
                                  • _abort.LIBCMT ref: 00F83182
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: fc7e6d02a3e9ff3a42abf65e35b685daf417b3d22f835a4907b7f234e8974d76
                                  • Instruction ID: e0165afaaa853def15d2ee3a2d63b45ecc865c79381d0337c7cd59ede6104abd
                                  • Opcode Fuzzy Hash: fc7e6d02a3e9ff3a42abf65e35b685daf417b3d22f835a4907b7f234e8974d76
                                  • Instruction Fuzzy Hash: 01F02832E05D017BC6223334AC4EAEB36699FC5F70B254414F924D61F5EF2D9A02B361
                                  APIs
                                    • Part of subcall function 00F51ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F51F33
                                    • Part of subcall function 00F51ED9: SelectObject.GDI32(?,00000000), ref: 00F51F42
                                    • Part of subcall function 00F51ED9: BeginPath.GDI32(?), ref: 00F51F59
                                    • Part of subcall function 00F51ED9: SelectObject.GDI32(?,00000000), ref: 00F51F82
                                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FE93AD
                                  • LineTo.GDI32(?,00000003,00000000), ref: 00FE93C1
                                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FE93CF
                                  • LineTo.GDI32(?,00000000,00000003), ref: 00FE93DF
                                  • EndPath.GDI32(?), ref: 00FE93EF
                                  • StrokePath.GDI32(?), ref: 00FE93FF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                  • String ID:
                                  • API String ID: 43455801-0
                                  • Opcode ID: 15024a7dfafb62a64035787a7f46adb233682424bb2d94fc325592c8e5b04cc6
                                  • Instruction ID: 682f15243e792142edc590d94318dd890ca7c6716d5215b901261c77c91fd4bd
                                  • Opcode Fuzzy Hash: 15024a7dfafb62a64035787a7f46adb233682424bb2d94fc325592c8e5b04cc6
                                  • Instruction Fuzzy Hash: 5811DE7200014DBFDF119F91DC88EAA7F6DEF04364F048011FE155A1A5D772AD55EB60
                                  APIs
                                  • GetDC.USER32(00000000), ref: 00FB5AA7
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FB5AB8
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB5ABF
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00FB5AC7
                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FB5ADE
                                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FB5AF0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CapsDevice$Release
                                  • String ID:
                                  • API String ID: 1035833867-0
                                  • Opcode ID: 061c491fd4875e572bbf867e39ffef00793d0c209de228183796fe23de993378
                                  • Instruction ID: 7c620ec0afbcf0257d8fb77360507a1c1e9287da1cd5c83c9a7ac577b7690021
                                  • Opcode Fuzzy Hash: 061c491fd4875e572bbf867e39ffef00793d0c209de228183796fe23de993378
                                  • Instruction Fuzzy Hash: 2D014475E00759BBEB109BA69C89B8EBF78EB48751F044065FA05EB280D674D901DF50
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F53236
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F5323E
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F53249
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F53254
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F5325C
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F53264
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: 67646e1f44ce901e09eebc4c644008795658e01607d91638f5b16432ab54a622
                                  • Instruction ID: 444e8c9bf28811d52e8646dead4a872c40bb2552064719f090fc4d28119fe1d3
                                  • Opcode Fuzzy Hash: 67646e1f44ce901e09eebc4c644008795658e01607d91638f5b16432ab54a622
                                  • Instruction Fuzzy Hash: E10167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FBF35C
                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FBF372
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00FBF381
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FBF390
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FBF39A
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FBF3A1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                  • String ID:
                                  • API String ID: 839392675-0
                                  • Opcode ID: cd61d305e83231ced3d66ecf8fe5e203f31e9cd75bf963b25a90eb02285847f4
                                  • Instruction ID: 01819c7fe3f37ebd94f37ebc879e18b778cf6728543dad7eb8f916c42d4acd84
                                  • Opcode Fuzzy Hash: cd61d305e83231ced3d66ecf8fe5e203f31e9cd75bf963b25a90eb02285847f4
                                  • Instruction Fuzzy Hash: 0CF03A3264119CBFE7215B629C4EEEF3B7CEFC6B11F000058FA1199090D7A46A01EAB5
                                  APIs
                                  • GetClientRect.USER32(?), ref: 00F934B3
                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F934CA
                                  • GetWindowDC.USER32(?), ref: 00F934D6
                                  • GetPixel.GDI32(00000000,?,?), ref: 00F934E5
                                  • ReleaseDC.USER32(?,00000000), ref: 00F934F7
                                  • GetSysColor.USER32(00000005), ref: 00F93511
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                  • String ID:
                                  • API String ID: 272304278-0
                                  • Opcode ID: 9faeb5a42d549081475142d2262a8f53f4e8fcbe69ba329f5a46bfc0fc13350a
                                  • Instruction ID: e7cebe7134bb19fb121da90101a1be8bf443aaaad7aecd5b37a73176483a2718
                                  • Opcode Fuzzy Hash: 9faeb5a42d549081475142d2262a8f53f4e8fcbe69ba329f5a46bfc0fc13350a
                                  • Instruction Fuzzy Hash: 86018F31800249EFEF619FA0DC88BEA7BB5FB48321F650164F915AA1A1CB320F41BF11
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FB210F
                                  • UnloadUserProfile.USERENV(?,?), ref: 00FB211B
                                  • CloseHandle.KERNEL32(?), ref: 00FB2124
                                  • CloseHandle.KERNEL32(?), ref: 00FB212C
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB2135
                                  • HeapFree.KERNEL32(00000000), ref: 00FB213C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                  • String ID:
                                  • API String ID: 146765662-0
                                  • Opcode ID: 5933cd226480b880dc4de95b4608ea659f259d30aeaef3f1d9be0c7d28ee91bd
                                  • Instruction ID: 14d5dc939f03148e6d99c4f36a5862588d5b427eff5d946bf6f7c1981acafbc9
                                  • Opcode Fuzzy Hash: 5933cd226480b880dc4de95b4608ea659f259d30aeaef3f1d9be0c7d28ee91bd
                                  • Instruction Fuzzy Hash: F3E01A76004149BFEB015FA1ED4CD0ABF39FF49322B104220F2358A870CB329420EB50
                                  APIs
                                    • Part of subcall function 00F54154: _wcslen.LIBCMT ref: 00F54159
                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FBCEAE
                                  • _wcslen.LIBCMT ref: 00FBCEF5
                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FBCF5C
                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FBCF8A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info_wcslen$Default
                                  • String ID: 0
                                  • API String ID: 1227352736-4108050209
                                  • Opcode ID: ad0e75993ccdd64c7f34d627cf332a2e7c284aea4fb24e289ec8a9d1b0d95801
                                  • Instruction ID: daa6703cadc1797f686de8418c530c686362cf2efe6768fc6d1c3b55a82f35a3
                                  • Opcode Fuzzy Hash: ad0e75993ccdd64c7f34d627cf332a2e7c284aea4fb24e289ec8a9d1b0d95801
                                  • Instruction Fuzzy Hash: ED51E371A043009BD715DF2AC845BBBB7E5AF89324F04096DF9A4D7190DBA4C944EFA2
                                  APIs
                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00FDB802
                                    • Part of subcall function 00F54154: _wcslen.LIBCMT ref: 00F54159
                                  • GetProcessId.KERNEL32(00000000), ref: 00FDB897
                                  • CloseHandle.KERNEL32(00000000), ref: 00FDB8C6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseExecuteHandleProcessShell_wcslen
                                  • String ID: <$@
                                  • API String ID: 146682121-1426351568
                                  • Opcode ID: 015e7969d22e59d365f8286523d9f6e20991ae734021d8eff18ec64e08258128
                                  • Instruction ID: e16e40c58bcbac731e52909ed9357c5bc27d24ddcf4e907651796b51ad13978d
                                  • Opcode Fuzzy Hash: 015e7969d22e59d365f8286523d9f6e20991ae734021d8eff18ec64e08258128
                                  • Instruction Fuzzy Hash: 17717C75A00219DFCB14EF94C885A9EBBF5FF08310F09845AE855AB361CB74ED45EB90
                                  APIs
                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FB7A95
                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FB7ACB
                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FB7ADC
                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7B5E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                  • String ID: DllGetClassObject
                                  • API String ID: 753597075-1075368562
                                  • Opcode ID: bff88ca49b6f98ee356fd0d8314a278566bfc6937ec63c1236f9fdf71b50de28
                                  • Instruction ID: a1c6c00c2903f57a589b11bd0ed29ed891e617a8a39243006378b6e1cd07ae5b
                                  • Opcode Fuzzy Hash: bff88ca49b6f98ee356fd0d8314a278566bfc6937ec63c1236f9fdf71b50de28
                                  • Instruction Fuzzy Hash: 92418171604308EFDB05EF55C884ADABBB9EFC4714F1480ADA9059F24AD7B4DA44EFA0
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE4794
                                  • IsMenu.USER32(?), ref: 00FE47A9
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FE47F1
                                  • DrawMenuBar.USER32 ref: 00FE4804
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$Item$DrawInfoInsert
                                  • String ID: 0
                                  • API String ID: 3076010158-4108050209
                                  • Opcode ID: 2bb5fea0750f583d92991391554d13b0a1112821c72e7d824dc8dff17d9c53bb
                                  • Instruction ID: bde4cd9545f7e769e4d88598347dcc0842fb50deace3788d60ed29a70624df3c
                                  • Opcode Fuzzy Hash: 2bb5fea0750f583d92991391554d13b0a1112821c72e7d824dc8dff17d9c53bb
                                  • Instruction Fuzzy Hash: 29414C75A01289EFEB20CF51D884AAA77B5FF45364F04412DE9459B290C731ED50EF90
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FB26F6
                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FB2709
                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FB2739
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen$ClassName
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2081771294-1403004172
                                  • Opcode ID: 389378c417517347e2081eff559ec4ed8985891339f6cb79acb3a006dbc2d51d
                                  • Instruction ID: 94da9ca221f164983fb0e85db2e9708047a249edd0d1ecf7a8ff7899374d960c
                                  • Opcode Fuzzy Hash: 389378c417517347e2081eff559ec4ed8985891339f6cb79acb3a006dbc2d51d
                                  • Instruction Fuzzy Hash: D7210571900108BFDB15AB65CC86DFFB7B8EF45760B244119F911AB1E1CF7C490ABA20
                                  APIs
                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FE38EC
                                  • LoadLibraryW.KERNEL32(?), ref: 00FE38F3
                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FE3908
                                  • DestroyWindow.USER32(?), ref: 00FE3910
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$DestroyLibraryLoadWindow
                                  • String ID: SysAnimate32
                                  • API String ID: 3529120543-1011021900
                                  • Opcode ID: 7d6e29339a2c52d90f27dde4e2c281b5e86e571d6f7bc1ad9b301b8ce1ef22eb
                                  • Instruction ID: ba5afd017dabafda3e19ef98fbdb13961b0f925eb0f348a5a3ba32425482e5de
                                  • Opcode Fuzzy Hash: 7d6e29339a2c52d90f27dde4e2c281b5e86e571d6f7bc1ad9b301b8ce1ef22eb
                                  • Instruction Fuzzy Hash: 0E21A471900289AFEB104F65DC8CEBF37AAEF44374F114619FA50A71A6D371DE41A760
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F750AE,?,?,00F7504E,?,010198D8,0000000C,00F751A5,?,00000002), ref: 00F7511D
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F75130
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00F750AE,?,?,00F7504E,?,010198D8,0000000C,00F751A5,?,00000002,00000000), ref: 00F75153
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 3be2ac900fa785df92046204491eb895b5cf4facbab724a3cce276c584d91cc1
                                  • Instruction ID: 5f09116a97d2c6d7e0187a7022fec399a73a83399ec329e9cb6d7a4693d3a484
                                  • Opcode Fuzzy Hash: 3be2ac900fa785df92046204491eb895b5cf4facbab724a3cce276c584d91cc1
                                  • Instruction Fuzzy Hash: B9F04F31A0020CBFDB119B94DC49BADBBB5EF04B66F444069F909A6560CBB59E40EB92
                                  APIs
                                  • LoadLibraryA.KERNEL32 ref: 00FAE72B
                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FAE73D
                                  • FreeLibrary.KERNEL32(00000000), ref: 00FAE763
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: GetSystemWow64DirectoryW$X64
                                  • API String ID: 145871493-2590602151
                                  • Opcode ID: 3b9a1b7c789ed9595a251a03cfb82068341d20f23e79d10a33f7f3f016d44f20
                                  • Instruction ID: af30646e488798543286812e798af68b96c3d1d7938972b76aa37248ab952d0f
                                  • Opcode Fuzzy Hash: 3b9a1b7c789ed9595a251a03cfb82068341d20f23e79d10a33f7f3f016d44f20
                                  • Instruction Fuzzy Hash: 7AF022B2C066649FEB725B208C88B693624AF22704F244899F842FB120DB34CD48F784
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F5637F,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F5633E
                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F56350
                                  • FreeLibrary.KERNEL32(00000000,?,?,00F5637F,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F56362
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                  • API String ID: 145871493-3689287502
                                  • Opcode ID: a1312489a56a0cb5350518f7617fbae80be892be417b698eb23bdf3b61ed06f9
                                  • Instruction ID: 04f4240b2043b32ff73c8f4a4bd1dd932ac79b8025bed913894f8e700fc909c5
                                  • Opcode Fuzzy Hash: a1312489a56a0cb5350518f7617fbae80be892be417b698eb23bdf3b61ed06f9
                                  • Instruction Fuzzy Hash: 14E0CD32A01B2217B31117167C08B5E76189F91F777050015FE10DB714DF68CC05E1B1
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F954C3,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F56304
                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F56316
                                  • FreeLibrary.KERNEL32(00000000,?,?,00F954C3,?,?,00F560AA,?,00000001,?,?,00000000), ref: 00F56329
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                  • API String ID: 145871493-1355242751
                                  • Opcode ID: 8e2321c2cdc5c7b8e425bb38f5765c02d1e7bbd79fa3628ab962f7c828a93a16
                                  • Instruction ID: 53463eef38bbea478b68e7b103c7ec42ffcc784d9c1ae9b378e11075d44fef26
                                  • Opcode Fuzzy Hash: 8e2321c2cdc5c7b8e425bb38f5765c02d1e7bbd79fa3628ab962f7c828a93a16
                                  • Instruction Fuzzy Hash: 96D0C231A025615752222725BC0898E3E24DF85B2A3850019BD10EB738CF28CC01A190
                                  APIs
                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC34D9
                                  • DeleteFileW.KERNEL32(?), ref: 00FC355B
                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FC3571
                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC3582
                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC3594
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: File$Delete$Copy
                                  • String ID:
                                  • API String ID: 3226157194-0
                                  • Opcode ID: e67f4e351864831fdf88a97db2c83d3869b40d304a41dec7a0dc44b0148cfe6b
                                  • Instruction ID: be2494b35c589c8d25fa666caa701f09ff8b1b41ccc9d87f6cdcd5bc972937f1
                                  • Opcode Fuzzy Hash: e67f4e351864831fdf88a97db2c83d3869b40d304a41dec7a0dc44b0148cfe6b
                                  • Instruction Fuzzy Hash: ABB16E72D0011AABDF11DBA4CD86FDEBB7CEF49354F0480AAF609E7141EA349B449B61
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 00FDAD86
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FDAD94
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FDADC7
                                  • CloseHandle.KERNEL32(?), ref: 00FDAF9C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                  • String ID:
                                  • API String ID: 3488606520-0
                                  • Opcode ID: f0d33a5434347555d71ac2482f6c9a5f234685fe7282bb170c18ac1577f98b37
                                  • Instruction ID: 092ef8d9a0691955f5812691460894b80fe96c1108f709f46d08f7d297655a9f
                                  • Opcode Fuzzy Hash: f0d33a5434347555d71ac2482f6c9a5f234685fe7282bb170c18ac1577f98b37
                                  • Instruction Fuzzy Hash: 39A1B1B16043009FD720DF24C886B2AB7E5AF44714F18885EF999DB392DB74EC45DB86
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FF46D0), ref: 00F8BF31
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0102221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F8BFA9
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,01022270,000000FF,?,0000003F,00000000,?), ref: 00F8BFD6
                                  • _free.LIBCMT ref: 00F8BF1F
                                    • Part of subcall function 00F82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4), ref: 00F82D6E
                                    • Part of subcall function 00F82D58: GetLastError.KERNEL32(01021DC4,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4,01021DC4), ref: 00F82D80
                                  • _free.LIBCMT ref: 00F8C0EB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: e2c92ab39682ad16c6dda8e392d4c1104119ff8260de05f5e556eac909c5f708
                                  • Instruction ID: 35dc0a35dc3b2a3933dc0424e0d11801ff626b73cffdb39b77fc0d7238b5f0a3
                                  • Opcode Fuzzy Hash: e2c92ab39682ad16c6dda8e392d4c1104119ff8260de05f5e556eac909c5f708
                                  • Instruction Fuzzy Hash: F1510A71D00209EFCB20FFA9DC819EEB7B8EF41360B10426AE554D7291EB759E45AB90
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FDD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC00D,?,?), ref: 00FDD314
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD350
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD3C7
                                    • Part of subcall function 00FDD2F7: _wcslen.LIBCMT ref: 00FDD3FD
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC404
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FDC45F
                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FDC4C2
                                  • RegCloseKey.ADVAPI32(?,?), ref: 00FDC505
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00FDC512
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                  • String ID:
                                  • API String ID: 826366716-0
                                  • Opcode ID: 70ef156f0b6b945d5080096100ca25220d6853593665f0a2b5d95db0be7d5f8c
                                  • Instruction ID: 5ad5edc2d782ca86367e8b98c639b4d20de6313cd423d1a38193c0d59ef8a849
                                  • Opcode Fuzzy Hash: 70ef156f0b6b945d5080096100ca25220d6853593665f0a2b5d95db0be7d5f8c
                                  • Instruction Fuzzy Hash: AC61B231108246AFD314DF24C894E2ABBE5FF84318F18855DF5558B3A2CB35ED45EB91
                                  APIs
                                    • Part of subcall function 00FBE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FBD6E2,?), ref: 00FBE629
                                    • Part of subcall function 00FBE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FBD6E2,?), ref: 00FBE642
                                    • Part of subcall function 00FBE9C5: GetFileAttributesW.KERNEL32(?,00FBD755), ref: 00FBE9C6
                                  • lstrcmpiW.KERNEL32(?,?), ref: 00FBEC9F
                                  • MoveFileW.KERNEL32(?,?), ref: 00FBECD8
                                  • _wcslen.LIBCMT ref: 00FBEE17
                                  • _wcslen.LIBCMT ref: 00FBEE2F
                                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FBEE7C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                  • String ID:
                                  • API String ID: 3183298772-0
                                  • Opcode ID: d8fbdc2131918998c0d7e2b0727a0c4eb1cce54ebb6477593dc349862bcf99c4
                                  • Instruction ID: 05bfa75784c976c4959e678cff7d87b805ae2be537f4a735db08276c104675ed
                                  • Opcode Fuzzy Hash: d8fbdc2131918998c0d7e2b0727a0c4eb1cce54ebb6477593dc349862bcf99c4
                                  • Instruction Fuzzy Hash: 405194B24083855BC764EB61CC819DBB7ECAF84310F00492EF689D3152EF74E688DB56
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 00FB945C
                                  • VariantClear.OLEAUT32 ref: 00FB94CD
                                  • VariantClear.OLEAUT32 ref: 00FB952C
                                  • VariantClear.OLEAUT32(?), ref: 00FB959F
                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FB95CA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$Clear$ChangeInitType
                                  • String ID:
                                  • API String ID: 4136290138-0
                                  • Opcode ID: 21ad6f0d9c1379aebf5a1706f382d642b4ecb714d0a0bd9795e37112b68eec8b
                                  • Instruction ID: cb56c8aa2bd38a78eaf0f4162f49ad781b3f9ad6fa84fb29da2ff2f750d595f8
                                  • Opcode Fuzzy Hash: 21ad6f0d9c1379aebf5a1706f382d642b4ecb714d0a0bd9795e37112b68eec8b
                                  • Instruction Fuzzy Hash: 025167B1A00619EFDB11CF69C884AAAB7F9FF88310B058559FA09DB354E770E911CF90
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FC9508
                                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FC9534
                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FC958C
                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FC95B1
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FC95B9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String
                                  • String ID:
                                  • API String ID: 2832842796-0
                                  • Opcode ID: bc4e07f2c288d2b6430a053d863ba1cc35de4a6f0f43ec1bf2d8603376843bec
                                  • Instruction ID: 8ee1a6a3f91ebd210e269d2ad4ab5a0e15500fbf97ba628a8017aaf96a35e5ef
                                  • Opcode Fuzzy Hash: bc4e07f2c288d2b6430a053d863ba1cc35de4a6f0f43ec1bf2d8603376843bec
                                  • Instruction Fuzzy Hash: 70518A35A002199FCB05DF64C885E6EBBF5FF48354F088059E909AB362CB75ED45EB90
                                  APIs
                                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FD989F
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00FD992F
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FD994B
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00FD9991
                                  • FreeLibrary.KERNEL32(00000000), ref: 00FD99B1
                                    • Part of subcall function 00F6F9E2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FC1917,?,7529E610), ref: 00F6F9FF
                                    • Part of subcall function 00F6F9E2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FB02F4,00000000,00000000,?,?,00FC1917,?,7529E610,?,00FB02F4), ref: 00F6FA26
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                  • String ID:
                                  • API String ID: 666041331-0
                                  • Opcode ID: f34fa97b81e2e7c3ecc95429e53ca81a5cbb6ce3f2f8437bf27d959d5308d771
                                  • Instruction ID: dc667d0b70b896f08a7769565b070a992dd76c857b7b2fedde0fde1528c92852
                                  • Opcode Fuzzy Hash: f34fa97b81e2e7c3ecc95429e53ca81a5cbb6ce3f2f8437bf27d959d5308d771
                                  • Instruction Fuzzy Hash: AB518E35A04249DFCB01DFA4C4909ADBBF1FF09324B088099E9569B722C775ED85EF91
                                  APIs
                                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FE7592
                                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00FE75A9
                                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FE75D2
                                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FCB4D6,00000000,00000000), ref: 00FE75F7
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FE7626
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Long$MessageSendShow
                                  • String ID:
                                  • API String ID: 3688381893-0
                                  • Opcode ID: 0a1c6979a5f1e1d8363dd25e2c23be444b276ab541f94fe1bde186ecd1c392f0
                                  • Instruction ID: d8a95e47a3c3e621a66bd9e5d3a3ed8b24e54602e89dcdc6f4572f839fd2435e
                                  • Opcode Fuzzy Hash: 0a1c6979a5f1e1d8363dd25e2c23be444b276ab541f94fe1bde186ecd1c392f0
                                  • Instruction Fuzzy Hash: C741CA35A08384AFD725EF69CC44FA57B65EB49360F180224F955972D0D770ED41E650
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: a4e66fc6b55fa58d026d422d030c59d8f74630c6d9f1a3d5d7e6eb12a2c004f2
                                  • Instruction ID: f88f0324e714ec52661c090090ec852a2b0969c39f143a1c968368402a99f8b0
                                  • Opcode Fuzzy Hash: a4e66fc6b55fa58d026d422d030c59d8f74630c6d9f1a3d5d7e6eb12a2c004f2
                                  • Instruction Fuzzy Hash: E741E472E002049FDB20EF78C880A9DB7E5EF88314B1581A9E955EB286DB75FD01EB51
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00F519E1
                                  • ScreenToClient.USER32(00000000,?), ref: 00F519FE
                                  • GetAsyncKeyState.USER32(00000001), ref: 00F51A23
                                  • GetAsyncKeyState.USER32(00000002), ref: 00F51A3D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: AsyncState$ClientCursorScreen
                                  • String ID:
                                  • API String ID: 4210589936-0
                                  • Opcode ID: 38c78bb3f1d8be64d835c833d7a99d2c4d3cd0d627aaeb29f16bd750f4bf65c6
                                  • Instruction ID: 47695471eceb311140433ee5714d0096317cb897d0048ba7de8c0dcb68955a5b
                                  • Opcode Fuzzy Hash: 38c78bb3f1d8be64d835c833d7a99d2c4d3cd0d627aaeb29f16bd750f4bf65c6
                                  • Instruction Fuzzy Hash: 02415071E0425AFBDF159F64C844BEEB774FB05334F208215E929A72A0CB346A94EB51
                                  APIs
                                  • GetInputState.USER32 ref: 00FC4225
                                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FC427C
                                  • TranslateMessage.USER32(?), ref: 00FC42A5
                                  • DispatchMessageW.USER32(?), ref: 00FC42AF
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC42C0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                  • String ID:
                                  • API String ID: 2256411358-0
                                  • Opcode ID: b2652880afef776004b92482d540e8ab009b138947ff8a4c79d684fd8ac1fc82
                                  • Instruction ID: 29c2cf654dcda0f1ea608f8e224e631e9d3f1bdb833fa453aafab66457558873
                                  • Opcode Fuzzy Hash: b2652880afef776004b92482d540e8ab009b138947ff8a4c79d684fd8ac1fc82
                                  • Instruction Fuzzy Hash: 2E31C630D003879EEB34CB649A5BFF637ACEB11314F14056DE4A686090D7A9B484FB11
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00FB21A5
                                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 00FB2251
                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 00FB2259
                                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 00FB226A
                                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FB2272
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessagePostSleep$RectWindow
                                  • String ID:
                                  • API String ID: 3382505437-0
                                  • Opcode ID: 21179d6af65765bf542efebfc3ae646070eeed6ffab671384f884d246dcd95ae
                                  • Instruction ID: 6342ab94f11c9270cedf5d388532d8b0b63168a0d6aaf9f420d96fb0dae87334
                                  • Opcode Fuzzy Hash: 21179d6af65765bf542efebfc3ae646070eeed6ffab671384f884d246dcd95ae
                                  • Instruction Fuzzy Hash: 4431B371900259EFEB04CFA8CD89ADE3BB5EB14325F104215FA25EB2D0C770A944EF90
                                  APIs
                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FCCB7B,00000000), ref: 00FCD895
                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00FCD8CC
                                  • GetLastError.KERNEL32(?,00000000,?,?,?,00FCCB7B,00000000), ref: 00FCD911
                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00FCCB7B,00000000), ref: 00FCD925
                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00FCCB7B,00000000), ref: 00FCD94F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                  • String ID:
                                  • API String ID: 3191363074-0
                                  • Opcode ID: 367b76658dbbc432a0c593bb95957373ed601600a57ab026ba68a3cd52b70b3f
                                  • Instruction ID: 4bf93ff441e7512ac37165a8c539af879e70f25597edb51be184de27647ecfde
                                  • Opcode Fuzzy Hash: 367b76658dbbc432a0c593bb95957373ed601600a57ab026ba68a3cd52b70b3f
                                  • Instruction Fuzzy Hash: 8F313A7590020AAFDB24DFA5DA86FAE77F8EF04364B10443EE546D6540EA34AE41AB60
                                  APIs
                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FE60A4
                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00FE60FC
                                  • _wcslen.LIBCMT ref: 00FE610E
                                  • _wcslen.LIBCMT ref: 00FE6119
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE6175
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen
                                  • String ID:
                                  • API String ID: 763830540-0
                                  • Opcode ID: 5c12f95baa13443039e91e0e02ed2458d84764885d54a5436af8048e580b3bc6
                                  • Instruction ID: 3f5a4776762361e3a1b2437043bf38ba7561588ed6ddfadfd7b4c54c2c8fe1d6
                                  • Opcode Fuzzy Hash: 5c12f95baa13443039e91e0e02ed2458d84764885d54a5436af8048e580b3bc6
                                  • Instruction Fuzzy Hash: 0E21C331D0429CABCF219FA5CC84AEE7BB8FB14764F108226FA25DA181D774D585AF60
                                  APIs
                                  • IsWindow.USER32(00000000), ref: 00FD12AE
                                  • GetForegroundWindow.USER32 ref: 00FD12C5
                                  • GetDC.USER32(00000000), ref: 00FD1301
                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00FD130D
                                  • ReleaseDC.USER32(00000000,00000003), ref: 00FD1345
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$ForegroundPixelRelease
                                  • String ID:
                                  • API String ID: 4156661090-0
                                  • Opcode ID: e22c57a921e2fddcf97cdb6dc2c065969cdb20bee70d70e2292e31e3eead87dd
                                  • Instruction ID: 215c7fc11449af13751296fa2cdff9c9291f6256d19dbd5499d0d204c7943cd9
                                  • Opcode Fuzzy Hash: e22c57a921e2fddcf97cdb6dc2c065969cdb20bee70d70e2292e31e3eead87dd
                                  • Instruction Fuzzy Hash: 73218E76600208AFD704EF65DC89A9EBBF5FF88341B04842DE94AD7751CA35EC04EB90
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 00F8D166
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F8D189
                                    • Part of subcall function 00F83BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A99,?,0000015D,?,?,?,?,00F785D0,000000FF,00000000,?,?), ref: 00F83BE2
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F8D1AF
                                  • _free.LIBCMT ref: 00F8D1C2
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F8D1D1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 250b1433def547c1cdc6ab594084fdd3b64d4fbc8af2992bdc271dcdd42cc602
                                  • Instruction ID: 708a8cf3db7a43bfc2c782dfd82705161b12efb0aa63174e300b14bac22da842
                                  • Opcode Fuzzy Hash: 250b1433def547c1cdc6ab594084fdd3b64d4fbc8af2992bdc271dcdd42cc602
                                  • Instruction Fuzzy Hash: 3D017172A02A597F732176665C8CDBB7A6DDFC2BA13240129FD04C6280DE658C01A2B1
                                  APIs
                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F51F33
                                  • SelectObject.GDI32(?,00000000), ref: 00F51F42
                                  • BeginPath.GDI32(?), ref: 00F51F59
                                  • SelectObject.GDI32(?,00000000), ref: 00F51F82
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$BeginCreatePath
                                  • String ID:
                                  • API String ID: 3225163088-0
                                  • Opcode ID: bb7b13d683813280a38c6088d4c1f2561c2b2dad03141628151e727e2d19b220
                                  • Instruction ID: 00f5293ae43bb70a935755e716eb1a997e4e906f6a1ebb655ea524eee96d52de
                                  • Opcode Fuzzy Hash: bb7b13d683813280a38c6088d4c1f2561c2b2dad03141628151e727e2d19b220
                                  • Instruction Fuzzy Hash: 9B219571D01305EFDB319FA4EC447797BF8BB513A2F200215FD5196094D3796995EB80
                                  APIs
                                  • GetLastError.KERNEL32(0000000A,?,?,00F7F66E,00F7547F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F8318D
                                  • _free.LIBCMT ref: 00F831C2
                                  • _free.LIBCMT ref: 00F831E9
                                  • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F831F6
                                  • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F831FF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 6940775e479c019b6c25173c26034b5fdaf0bdd9cbad80f8dce2a78cb15d4f7c
                                  • Instruction ID: 810a81dc3eed20717179bc6caa0243a8fda0e3eba18e1f4d3f253600b4e4f449
                                  • Opcode Fuzzy Hash: 6940775e479c019b6c25173c26034b5fdaf0bdd9cbad80f8dce2a78cb15d4f7c
                                  • Instruction Fuzzy Hash: 0201F473E01E117BC71232355C8EDEB36699FC1F707200029F825961A1EE698A027320
                                  APIs
                                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?,?,00FB0BEE), ref: 00FB08BB
                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?), ref: 00FB08D6
                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?), ref: 00FB08E4
                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?), ref: 00FB08F4
                                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB07D1,80070057,?,?), ref: 00FB0900
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                  • String ID:
                                  • API String ID: 3897988419-0
                                  • Opcode ID: 5148f9ac95a25b569c29be67551023f0996fa442bc604cf750bd7344f3ccd186
                                  • Instruction ID: 2d460238c199abd4d7ae0ada728b0638fde5a019a22afbd8984924ad3bfb3f98
                                  • Opcode Fuzzy Hash: 5148f9ac95a25b569c29be67551023f0996fa442bc604cf750bd7344f3ccd186
                                  • Instruction Fuzzy Hash: F7014F76A00218AFDB114F66DC44B9B7ABDEB887A1F144024F945DA211EB71DE40ABA0
                                  APIs
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00FBF1C3
                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 00FBF1D1
                                  • Sleep.KERNEL32(00000000), ref: 00FBF1D9
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00FBF1E3
                                  • Sleep.KERNEL32 ref: 00FBF21F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: 40fc326eedba243ff1474b454f06982083f5fb466e8a106072c33c4836e0f81a
                                  • Instruction ID: db6ac7ce9df6613d3c8081a2760b6e2ada9640903b43b08909c71b4a47fc7a44
                                  • Opcode Fuzzy Hash: 40fc326eedba243ff1474b454f06982083f5fb466e8a106072c33c4836e0f81a
                                  • Instruction Fuzzy Hash: C4018C39C0161DDBDF00AFA5EC89AEDBB79FB09311F010465E901F2150CB349658EB61
                                  APIs
                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB19A4
                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19B0
                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19BF
                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FB142B,?,?,?), ref: 00FB19C6
                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB19DD
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 842720411-0
                                  • Opcode ID: 22908002e4fb44e85fcb529a7dea261349ee36878cf5c2617202d322e931ae8d
                                  • Instruction ID: e930d4def6f971eca110d9806a658e9847d2a290cb8d18793759321075e2b2db
                                  • Opcode Fuzzy Hash: 22908002e4fb44e85fcb529a7dea261349ee36878cf5c2617202d322e931ae8d
                                  • Instruction Fuzzy Hash: 830181B5501249BFEB114FA5DC99EAB3B6EEF86360B110428F845CB260DA31DC40AA60
                                  APIs
                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FB18BA
                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FB18C6
                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB18D5
                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB18DC
                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB18F2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 44706859-0
                                  • Opcode ID: dcb04d40c34db2c941772936ad26ecede679bc259af6da9b07fef98298ef2373
                                  • Instruction ID: 4d89c8d6cf60ba2f1249e9aac9f9800a937e46cdf34218f520e08b13b08f61d6
                                  • Opcode Fuzzy Hash: dcb04d40c34db2c941772936ad26ecede679bc259af6da9b07fef98298ef2373
                                  • Instruction Fuzzy Hash: 63F06D75201309AFDB114FA5EC99F963BADFF89371F100824FA46CB660CA74D940EA60
                                  APIs
                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FB185A
                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FB1866
                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FB1875
                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FB187C
                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FB1892
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                  • String ID:
                                  • API String ID: 44706859-0
                                  • Opcode ID: 96362fb32f6097913f7b5db74cdc69c065896e78c8246e2c9320b50196e7894b
                                  • Instruction ID: 54a810507cf5ce0bc36af79fd19bdd75ab9e8c6d682f6e3ea487bf98d5e2cdc0
                                  • Opcode Fuzzy Hash: 96362fb32f6097913f7b5db74cdc69c065896e78c8246e2c9320b50196e7894b
                                  • Instruction Fuzzy Hash: 65F06275141345BFD7110F65DC9DF963B6DFF89361F500414FA49CB651CA75DC009A60
                                  APIs
                                  • CloseHandle.KERNEL32(?,?,?,?,00FC0A39,?,00FC3C56,?,00000001,00F93ACE,?), ref: 00FC0BE0
                                  • CloseHandle.KERNEL32(?,?,?,?,00FC0A39,?,00FC3C56,?,00000001,00F93ACE,?), ref: 00FC0BED
                                  • CloseHandle.KERNEL32(?,?,?,?,00FC0A39,?,00FC3C56,?,00000001,00F93ACE,?), ref: 00FC0BFA
                                  • CloseHandle.KERNEL32(?,?,?,?,00FC0A39,?,00FC3C56,?,00000001,00F93ACE,?), ref: 00FC0C07
                                  • CloseHandle.KERNEL32(?,?,?,?,00FC0A39,?,00FC3C56,?,00000001,00F93ACE,?), ref: 00FC0C14
                                  • CloseHandle.KERNEL32(?,?,?,?,00FC0A39,?,00FC3C56,?,00000001,00F93ACE,?), ref: 00FC0C21
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: a82f083c677ea879bedd17597341eda9f1eedd9250c7bb8bb13e7ed5c2b21ea2
                                  • Instruction ID: 5b4b270a366b92476864b8f9caafcb3e261a167473a2114d0dd81c3f4c9c0b14
                                  • Opcode Fuzzy Hash: a82f083c677ea879bedd17597341eda9f1eedd9250c7bb8bb13e7ed5c2b21ea2
                                  • Instruction Fuzzy Hash: A601A275800B16DFC730AF66DA80816FBF9EF503293158A3ED19252931CB71A946EF80
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 00FB64E7
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FB64FE
                                  • MessageBeep.USER32(00000000), ref: 00FB6516
                                  • KillTimer.USER32(?,0000040A), ref: 00FB6532
                                  • EndDialog.USER32(?,00000001), ref: 00FB654C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: 8d795af02e21ddac5862c52aaf857e2f3e18e2202841c15481070a57efd68dca
                                  • Instruction ID: c07e0b423814f24fba725514ad0f12869609d8a57265be3af18fb632ab2d3f15
                                  • Opcode Fuzzy Hash: 8d795af02e21ddac5862c52aaf857e2f3e18e2202841c15481070a57efd68dca
                                  • Instruction Fuzzy Hash: BD018630500708ABEB305B11DD8EBD67778BB10705F040559B587A54E5DBF8AA94EF50
                                  APIs
                                  • _free.LIBCMT ref: 00F8DAF2
                                    • Part of subcall function 00F82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4), ref: 00F82D6E
                                    • Part of subcall function 00F82D58: GetLastError.KERNEL32(01021DC4,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4,01021DC4), ref: 00F82D80
                                  • _free.LIBCMT ref: 00F8DB04
                                  • _free.LIBCMT ref: 00F8DB16
                                  • _free.LIBCMT ref: 00F8DB28
                                  • _free.LIBCMT ref: 00F8DB3A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7f6bda998fcb5aa9df0ff3afa9b7ba150ccc32839f71e8d5be13a55e7a0a36e3
                                  • Instruction ID: b12d3626926161abae9ad5db8c0101df6afa8e6fa7ddf45df8e6b8039f2b21c7
                                  • Opcode Fuzzy Hash: 7f6bda998fcb5aa9df0ff3afa9b7ba150ccc32839f71e8d5be13a55e7a0a36e3
                                  • Instruction Fuzzy Hash: 78F06233904218ABC664FB98ED89C9677EEAE443203A54805F85CD7545CB7DFC809754
                                  APIs
                                  • _free.LIBCMT ref: 00F8264E
                                    • Part of subcall function 00F82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4), ref: 00F82D6E
                                    • Part of subcall function 00F82D58: GetLastError.KERNEL32(01021DC4,?,00F8DB71,01021DC4,00000000,01021DC4,00000000,?,00F8DB98,01021DC4,00000007,01021DC4,?,00F8DF95,01021DC4,01021DC4), ref: 00F82D80
                                  • _free.LIBCMT ref: 00F82660
                                  • _free.LIBCMT ref: 00F82673
                                  • _free.LIBCMT ref: 00F82684
                                  • _free.LIBCMT ref: 00F82695
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: c58505d45230fe5ef0f8c3367eda463c9ecb3afc4e43a0613d55a77eb77ae218
                                  • Instruction ID: d46e8290f895507a1ae4aa6551ecce724bd6efafd3e4416d144f65faedc5f36d
                                  • Opcode Fuzzy Hash: c58505d45230fe5ef0f8c3367eda463c9ecb3afc4e43a0613d55a77eb77ae218
                                  • Instruction Fuzzy Hash: 39F0DA718011209BC6B2BF94EE058883B64BB29761325460AF8A89626DC77F2947BF84
                                  APIs
                                  • EndPath.GDI32(?), ref: 00F51E74
                                  • StrokeAndFillPath.GDI32(?,?,00F93258,00000000,?,?,?), ref: 00F51E90
                                  • SelectObject.GDI32(?,00000000), ref: 00F51EA3
                                  • DeleteObject.GDI32 ref: 00F51EB6
                                  • StrokePath.GDI32(?), ref: 00F51ED1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                  • String ID:
                                  • API String ID: 2625713937-0
                                  • Opcode ID: 9ad05ecc7fa05cd7b981c332cd96130fc0e7868d741bab4c739e6476bc243b29
                                  • Instruction ID: 1ac7e8618796e1f53b1c6b99d641c9fbb0d18f630654fc12107c82c182a86811
                                  • Opcode Fuzzy Hash: 9ad05ecc7fa05cd7b981c332cd96130fc0e7868d741bab4c739e6476bc243b29
                                  • Instruction Fuzzy Hash: 35F01D30501248DBD7355F54ED4D7743FA5BB413B6F148214F995584F8C73AA499EF10
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: __freea$_free
                                  • String ID: a/p$am/pm
                                  • API String ID: 3432400110-3206640213
                                  • Opcode ID: 4ecef953282a9eb01b72eb94b08b8d66a87a4da49dfb14403ee23b1b7c022b25
                                  • Instruction ID: 44e29960462f0edb161d22c3559d39103d4dedad0a64a39c41223d29b4d069aa
                                  • Opcode Fuzzy Hash: 4ecef953282a9eb01b72eb94b08b8d66a87a4da49dfb14403ee23b1b7c022b25
                                  • Instruction Fuzzy Hash: 19D1F375D00206CADB24BF68C845BFEB7B9FF05320F284359E546AB250E3359D82EB91
                                  APIs
                                    • Part of subcall function 00FBBCDF: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FB2A60,?,?,00000034,00000800,?,00000034), ref: 00FBBD09
                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FB2FF0
                                    • Part of subcall function 00FBBCAA: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FB2A8F,?,?,00000800,?,00001073,00000000,?,?), ref: 00FBBCD4
                                    • Part of subcall function 00FBBC06: GetWindowThreadProcessId.USER32(?,?), ref: 00FBBC31
                                    • Part of subcall function 00FBBC06: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FB2A24,00000034,?,?,00001004,00000000,00000000), ref: 00FBBC41
                                    • Part of subcall function 00FBBC06: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FB2A24,00000034,?,?,00001004,00000000,00000000), ref: 00FBBC57
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FB305D
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FB30AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                  • String ID: @
                                  • API String ID: 4150878124-2766056989
                                  • Opcode ID: e38e0cef023ea35a820321610ccfeef3dac6c43325dfd161c58882f4339b58c9
                                  • Instruction ID: 0ec431e53e8548df0fab55f259dec85c703dc4ee4c04caa05a31876696e16c9e
                                  • Opcode Fuzzy Hash: e38e0cef023ea35a820321610ccfeef3dac6c43325dfd161c58882f4339b58c9
                                  • Instruction Fuzzy Hash: 5F412AB6A00218AFDB10EFA5CD81ADEBBB8EF49754F004095FA45B7180DA716E85DF60
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\wvtynvwe\AutoIt3.exe,00000104), ref: 00F81AF9
                                  • _free.LIBCMT ref: 00F81BC4
                                  • _free.LIBCMT ref: 00F81BCE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\ProgramData\wvtynvwe\AutoIt3.exe
                                  • API String ID: 2506810119-3538095461
                                  • Opcode ID: c8574cd10c7c254c8de115b61f4095514d18d95c176972b89568679987971284
                                  • Instruction ID: 389a073afe8fb5c5cfbe9a347973f866df234144f4415d288619207f0fe11b13
                                  • Opcode Fuzzy Hash: c8574cd10c7c254c8de115b61f4095514d18d95c176972b89568679987971284
                                  • Instruction Fuzzy Hash: FC318371E00218ABDB25EF99DC85DDEBBBCFB85320B1042A6E80497210E6755E45EB90
                                  APIs
                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FBCAC6
                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00FBCB0C
                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01022990,01075728), ref: 00FBCB55
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem
                                  • String ID: 0
                                  • API String ID: 135850232-4108050209
                                  • Opcode ID: 61b999cb8faaef67b76e5f12b1f14779e142112a46c909a1ba4d4d50be332cd4
                                  • Instruction ID: 1f1aa18da38a357c53b158e9f7d2cb000df2b6a352b28ecb82b38df8f2e7f22d
                                  • Opcode Fuzzy Hash: 61b999cb8faaef67b76e5f12b1f14779e142112a46c909a1ba4d4d50be332cd4
                                  • Instruction Fuzzy Hash: 2041AC316053419FD724DF25CC86F9BBBA8AF84320F14862DE9A597291D774A804DFA2
                                  APIs
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FEDCD0,00000000,?,?,?,?), ref: 00FE4E09
                                  • GetWindowLongW.USER32 ref: 00FE4E26
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE4E36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Long
                                  • String ID: SysTreeView32
                                  • API String ID: 847901565-1698111956
                                  • Opcode ID: 4fde6c13fb444e6602ffd1f5b717e8d4906e264bc4ea4e53f95d53c2fb8e00e1
                                  • Instruction ID: 6c7243c8a756ad870d676a2b6cca328582810804483e416e9a82e92742713eeb
                                  • Opcode Fuzzy Hash: 4fde6c13fb444e6602ffd1f5b717e8d4906e264bc4ea4e53f95d53c2fb8e00e1
                                  • Instruction Fuzzy Hash: AC319C31600249AFDF219F39CC85BEA7BA9FB08334F204729F979922D0D734A851AB50
                                  APIs
                                    • Part of subcall function 00FD3CB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FD39D4,?,?), ref: 00FD3CD5
                                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FD39D7
                                  • _wcslen.LIBCMT ref: 00FD39F8
                                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00FD3A63
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 946324512-2422070025
                                  • Opcode ID: 6ba423bfebe62e480c542be4e425461e9ca7a1d1e7bf6155be2c980989575ac4
                                  • Instruction ID: 79f308e31d2717bcc2b57ccb2ffa6fca73c56d4aa1a7607e83ceca85b07e37d0
                                  • Opcode Fuzzy Hash: 6ba423bfebe62e480c542be4e425461e9ca7a1d1e7bf6155be2c980989575ac4
                                  • Instruction Fuzzy Hash: 5831C43DB002019FC710CF68C485E6977E2EF15324F29805AE9568B392D779EF45E762
                                  APIs
                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FE489F
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FE48B3
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE48D7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window
                                  • String ID: SysMonthCal32
                                  • API String ID: 2326795674-1439706946
                                  • Opcode ID: b7004ba684b0da7363e5bb20edf8cb106c1f011004f8be42632fb90ba0a9e378
                                  • Instruction ID: ad517776f73ab7dc88f5378d23d2bea69ddcdaa0422fd6c54ada0d8b55c32b9d
                                  • Opcode Fuzzy Hash: b7004ba684b0da7363e5bb20edf8cb106c1f011004f8be42632fb90ba0a9e378
                                  • Instruction Fuzzy Hash: 0C21D332500258BFDF218F91CC86FEA3B65EF48724F110118FA15AB0D0D6B5B955AB90
                                  APIs
                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FE5064
                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FE5072
                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FE5079
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$DestroyWindow
                                  • String ID: msctls_updown32
                                  • API String ID: 4014797782-2298589950
                                  • Opcode ID: ade7e6215696bdf0f318d04b624ed8793c2214d5f412f1e45f73a335206bf560
                                  • Instruction ID: 021b2d0e15dfa094dbcce37ace8e2deef0fdc4660baa6c0401fd7923268542b8
                                  • Opcode Fuzzy Hash: ade7e6215696bdf0f318d04b624ed8793c2214d5f412f1e45f73a335206bf560
                                  • Instruction Fuzzy Hash: 3721B0B1600249AFDB10DF64DCC1D6B37ACEF5A7A8B000019FA009B261CB35EC11ABA0
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                  • API String ID: 176396367-2734436370
                                  • Opcode ID: 6e46423875d0aff7d8db79271ccb6d88d6c5e7b0b0ae5ecac2e4966ddaf75c83
                                  • Instruction ID: 09ee0d3bbcae9ea29ea6390ac7c723c9909a68aa4cc63856e9cb3cdc764c1cdf
                                  • Opcode Fuzzy Hash: 6e46423875d0aff7d8db79271ccb6d88d6c5e7b0b0ae5ecac2e4966ddaf75c83
                                  • Instruction Fuzzy Hash: DE216B3264865166D330E6268C02FE773D89F91320F504027FB498B481E7E5ED81F7B2
                                  APIs
                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FE419F
                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FE41AF
                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FE41D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend$MoveWindow
                                  • String ID: Listbox
                                  • API String ID: 3315199576-2633736733
                                  • Opcode ID: 99c80fc0299404e705c1ec90b70dbac1e133ccedfdd664d319760d32373f57da
                                  • Instruction ID: 48bbc9697fd7ec9eafd169b16685ccb063fc200e4a786bad41239360ac2f20c2
                                  • Opcode Fuzzy Hash: 99c80fc0299404e705c1ec90b70dbac1e133ccedfdd664d319760d32373f57da
                                  • Instruction Fuzzy Hash: CC210732600218BBDF228F51DC84FAB376EEF99764F108118F9049B190C679AC9297A0
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 00FC5362
                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FC53B6
                                  • SetErrorMode.KERNEL32(00000000,?,?,00FEDCD0), ref: 00FC542A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: %lu
                                  • API String ID: 2507767853-685833217
                                  • Opcode ID: 69a444d9b5a02d660aa8a0ebd847402cf54b231c563e412519d4799067be4d7e
                                  • Instruction ID: 266ff146ff43bc4ccf081f621279e99d30e523e63856df4b432377a8be9aca40
                                  • Opcode Fuzzy Hash: 69a444d9b5a02d660aa8a0ebd847402cf54b231c563e412519d4799067be4d7e
                                  • Instruction Fuzzy Hash: E5317370A00109AFDB10DF54C985EAA7BF8EF08305F148099F905DF262DB75EE85DB61
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FE4BAE
                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FE4BC3
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FE4BD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: 89c97b9634b691de9917eb6866b6801cc1c12c18f89db4e5d6690ad949fa5f71
                                  • Instruction ID: aedea186f3e3538e9111baf4b0689c48caf49eea10d4c1d281f2f12735270032
                                  • Opcode Fuzzy Hash: 89c97b9634b691de9917eb6866b6801cc1c12c18f89db4e5d6690ad949fa5f71
                                  • Instruction Fuzzy Hash: 0B115931240248BFEF205F66CC06FAB77ACEFC4B24F110518FA55E6090D271EC21AB20
                                  APIs
                                    • Part of subcall function 00F584B7: _wcslen.LIBCMT ref: 00F584CA
                                    • Part of subcall function 00FB3637: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FB3655
                                    • Part of subcall function 00FB3637: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB3666
                                    • Part of subcall function 00FB3637: GetCurrentThreadId.KERNEL32 ref: 00FB366D
                                    • Part of subcall function 00FB3637: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FB3674
                                  • GetFocus.USER32 ref: 00FB3807
                                    • Part of subcall function 00FB367E: GetParent.USER32(00000000), ref: 00FB3689
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00FB3852
                                  • EnumChildWindows.USER32(?,00FB38CA), ref: 00FB387A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                  • String ID: %s%d
                                  • API String ID: 1272988791-1110647743
                                  • Opcode ID: 66699204e4b2764be53ada52e43b11e5cdc15b9a97f15945e5ed390eb4c0f14c
                                  • Instruction ID: 11029060241bd4b1185c0a9e96d898dd1bf04c184d9c6675f38905e556bb6476
                                  • Opcode Fuzzy Hash: 66699204e4b2764be53ada52e43b11e5cdc15b9a97f15945e5ed390eb4c0f14c
                                  • Instruction Fuzzy Hash: E511D5756002096BCF04BFA58C85EE9376AAF94304F004075BD099B243DE79990AAF61
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FE6220
                                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FE624D
                                  • DrawMenuBar.USER32(?), ref: 00FE625C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw
                                  • String ID: 0
                                  • API String ID: 3227129158-4108050209
                                  • Opcode ID: 71116d29c40f65674f617194d22f4b958727b0bddd7fdc9e6a77d9c0d63a7fbd
                                  • Instruction ID: 51e3514e0522b57839e179ee014b5cbd212df383ca8426495d60a6f9c0026f65
                                  • Opcode Fuzzy Hash: 71116d29c40f65674f617194d22f4b958727b0bddd7fdc9e6a77d9c0d63a7fbd
                                  • Instruction Fuzzy Hash: 10018B72500288EFDB209F52CC84BAA7BB4FF44754F0480A6E949DA150CB708980FF21
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 362358df01b701eea534ff0f6ba41f3ae5e1d38caca04131bd28c1d342199e47
                                  • Instruction ID: d8d015f7a643a54a06c1ae7b99c7024796aa260ca5d1e4592eb1beee03c63021
                                  • Opcode Fuzzy Hash: 362358df01b701eea534ff0f6ba41f3ae5e1d38caca04131bd28c1d342199e47
                                  • Instruction Fuzzy Hash: E6C14C75A0020AEFDB14CF95C894EAAB7B5FF88714F108598E505EB291DB31ED81DF90
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                  • Instruction ID: 3171d5b03b8d8b5a043d72261715cd4222f0932d1a613272321071bb66a1587f
                                  • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                  • Instruction Fuzzy Hash: 20A15B72D043879FEB25EF58C8917EEBBE4EF55320F18416EE9859B281C238AD41E750
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Variant$ClearInitInitializeUninitialize
                                  • String ID:
                                  • API String ID: 1998397398-0
                                  • Opcode ID: 4e6ec7bd10c6995c68e5a00b72d199138232a4867e1bb80b0c72de825f55cde5
                                  • Instruction ID: be601fcbf14e2dce7c5e911e1a44b307e17182c101668c03c2c9e1c9fad0c30b
                                  • Opcode Fuzzy Hash: 4e6ec7bd10c6995c68e5a00b72d199138232a4867e1bb80b0c72de825f55cde5
                                  • Instruction Fuzzy Hash: 0AA13D756047009FC711DF64C885A1EB7E6FF88750F08845AFA899B362CB74ED05EB92
                                  APIs
                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FF0BD4,?), ref: 00FB0E80
                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FF0BD4,?), ref: 00FB0E98
                                  • CLSIDFromProgID.OLE32(?,?,00000000,00FEDCE0,000000FF,?,00000000,00000800,00000000,?,00FF0BD4,?), ref: 00FB0EBD
                                  • _memcmp.LIBVCRUNTIME ref: 00FB0EDE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FromProg$FreeTask_memcmp
                                  • String ID:
                                  • API String ID: 314563124-0
                                  • Opcode ID: bd4ac1dc92672f51f772a1e90243d6f6a8f16828c21fc4dbb1329f5b52b2d244
                                  • Instruction ID: c105c384ae85c6225445a8a7afa3caab8e61f880a3e6d4f11c13098371574c2a
                                  • Opcode Fuzzy Hash: bd4ac1dc92672f51f772a1e90243d6f6a8f16828c21fc4dbb1329f5b52b2d244
                                  • Instruction Fuzzy Hash: CE811871A00209EFCB14DF94C984EEEB7B9FF89315F204598E506AB250DB71AE46DF60
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: a7a2bfaff167c6575d0a191ca729937e10fcce422e5c30c07ab148b81a513536
                                  • Instruction ID: 5fea09415c5a51b16210b3b54b206c91da81ce49579abea373ae7aa39bad3495
                                  • Opcode Fuzzy Hash: a7a2bfaff167c6575d0a191ca729937e10fcce422e5c30c07ab148b81a513536
                                  • Instruction Fuzzy Hash: 76412A32A00112ABFF217AF98C45ABE3AA5FF01770F144276F818D61A1E67D4841B7A3
                                  APIs
                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00FD245A
                                  • WSAGetLastError.WSOCK32 ref: 00FD2468
                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FD24E7
                                  • WSAGetLastError.WSOCK32 ref: 00FD24F1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorLast$socket
                                  • String ID:
                                  • API String ID: 1881357543-0
                                  • Opcode ID: c9e4a145149ab2ea18d7865e8624f5c89ae7b60888bbf2d93dece942dad5e5d2
                                  • Instruction ID: 62ef31ad21572b4e01a17bcb01a6834f5f272a7e52b4f84aa2086aabf81f3f8d
                                  • Opcode Fuzzy Hash: c9e4a145149ab2ea18d7865e8624f5c89ae7b60888bbf2d93dece942dad5e5d2
                                  • Instruction Fuzzy Hash: 7E41D034600200AFE720AF24DC96F2A37A5AF14718F588449FA199F7D2C776ED429B90
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00FE6C41
                                  • ScreenToClient.USER32(?,?), ref: 00FE6C74
                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FE6CE1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$ClientMoveRectScreen
                                  • String ID:
                                  • API String ID: 3880355969-0
                                  • Opcode ID: ca496c2dc916e6424c453447bd886ba70618b9ba556b1dbe238d377bcec4c20c
                                  • Instruction ID: e1af56931aa7104df28e08090d0c89ad58f4e3e2027ff04eb529f395afabcd92
                                  • Opcode Fuzzy Hash: ca496c2dc916e6424c453447bd886ba70618b9ba556b1dbe238d377bcec4c20c
                                  • Instruction Fuzzy Hash: E7513C70A0024DEFCB24DF59C9809AE7BB6FF553A1F208159F865DB290D730AD81DB90
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c49b6db6f97eafd4533ab90ecd9dd3792081ede6244ef5442498a93fff29130
                                  • Instruction ID: 0dc922990f53367158e5827dd7777ac103991bcc6f73a5bb71a1f319266729b8
                                  • Opcode Fuzzy Hash: 6c49b6db6f97eafd4533ab90ecd9dd3792081ede6244ef5442498a93fff29130
                                  • Instruction Fuzzy Hash: 46411972A00704BFE724BF78CC41BAABBEDEF88710F10852AF551DB291D775A9429780
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FC60DD
                                  • GetLastError.KERNEL32(?,00000000), ref: 00FC6103
                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FC6128
                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FC6154
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: b9aa8596b95157c5d5065eed8a7993a29a392e161fe11110b51635ec6f14ba97
                                  • Instruction ID: e05a9d8d16dcdf28adff57bfb3b6c40635e7e98ae00bff87e330be1dda0cd096
                                  • Opcode Fuzzy Hash: b9aa8596b95157c5d5065eed8a7993a29a392e161fe11110b51635ec6f14ba97
                                  • Instruction Fuzzy Hash: BA415B35600611DFCB11EF14C942A1EBBF2EF49761B088088ED4AAB762CB34FD05EB81
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F77101,00000000,00000000,00F78669,?,00F78669,?,00000001,00F77101,8BE85006,00000001,00F78669,00F78669), ref: 00F8DCB0
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F8DD39
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F8DD4B
                                  • __freea.LIBCMT ref: 00F8DD54
                                    • Part of subcall function 00F83BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A99,?,0000015D,?,?,?,?,00F785D0,000000FF,00000000,?,?), ref: 00F83BE2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: 921d4beab12c6b000a1af57dfea8348e883d011d4e9c99044f615f9c87f2314c
                                  • Instruction ID: eed60a4bd8764caab34e5045e28aae77970d84f43e03b63caeadeb06a7c9d103
                                  • Opcode Fuzzy Hash: 921d4beab12c6b000a1af57dfea8348e883d011d4e9c99044f615f9c87f2314c
                                  • Instruction Fuzzy Hash: ED31C532A0020AABDF25AF64DC45EEE7BA5EF40710F154129FC14D7190DB39DD50EB90
                                  APIs
                                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FBB388
                                  • SetKeyboardState.USER32(00000080), ref: 00FBB3A4
                                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FBB412
                                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FBB464
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: KeyboardState$InputMessagePostSend
                                  • String ID:
                                  • API String ID: 432972143-0
                                  • Opcode ID: 5f0dcf64914247317f97e53c8f1650b761ffd92f95447eef5b7a30f975beb248
                                  • Instruction ID: 0785a8c0f2e4fc1b601beb1f8115aaaf88cf9958a15065971382170f024f84e2
                                  • Opcode Fuzzy Hash: 5f0dcf64914247317f97e53c8f1650b761ffd92f95447eef5b7a30f975beb248
                                  • Instruction Fuzzy Hash: 65311671E40248EEEF20CF668C057FE7BA5BF44320F18822AE491961D1D3F98945EFA1
                                  APIs
                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00FE5CB1
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE5CD4
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE5CE1
                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FE5D07
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LongWindow$InvalidateMessageRectSend
                                  • String ID:
                                  • API String ID: 3340791633-0
                                  • Opcode ID: 4fa0c555e5f1f30a59997fdd14bc46a353883495e9985131e1312c51123a1902
                                  • Instruction ID: c4ad5ea2346da52f29169bee8c5e6e6b932085bd9834a95156c6b19a198ccbe9
                                  • Opcode Fuzzy Hash: 4fa0c555e5f1f30a59997fdd14bc46a353883495e9985131e1312c51123a1902
                                  • Instruction Fuzzy Hash: 8031C835E5568CFFEB309F6ACC59BE437A1EB04B28F644102FA115A1E1C7756980BB41
                                  APIs
                                  • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FBB4CD
                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00FBB4E9
                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00FBB550
                                  • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FBB5A2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: KeyboardState$InputMessagePostSend
                                  • String ID:
                                  • API String ID: 432972143-0
                                  • Opcode ID: 60216014380edd157714a5e3d65c89da3aae37de2e60c6af7f8c9ceac8d0dce4
                                  • Instruction ID: 7d562f3edf21678701df2fae9a31f3363d663e22aa1843b9bd5ac5ba2434cdf4
                                  • Opcode Fuzzy Hash: 60216014380edd157714a5e3d65c89da3aae37de2e60c6af7f8c9ceac8d0dce4
                                  • Instruction Fuzzy Hash: BB310970E40258AEFF318B26CC057FA7BB6AF45320F4C421AE085561D9C3B48A45AF53
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00FE204A
                                    • Part of subcall function 00FB42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB42E6
                                    • Part of subcall function 00FB42CC: GetCurrentThreadId.KERNEL32 ref: 00FB42ED
                                    • Part of subcall function 00FB42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FB2E43), ref: 00FB42F4
                                  • GetCaretPos.USER32(?), ref: 00FE205E
                                  • ClientToScreen.USER32(00000000,?), ref: 00FE20AB
                                  • GetForegroundWindow.USER32 ref: 00FE20B1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: 191d52fdfe6840a61e252ce62435eb8a88a7d8af07cc351e00e26258f30b51c3
                                  • Instruction ID: eaf1fd8d7096b451eaa0f94baccc35f947122d25dd6d9a7352c0c52469c10d5f
                                  • Opcode Fuzzy Hash: 191d52fdfe6840a61e252ce62435eb8a88a7d8af07cc351e00e26258f30b51c3
                                  • Instruction Fuzzy Hash: FA316171D00249AFC704DFA6C881CAEBBFCEF48304B50846AE515E7252EB75EE05DBA0
                                  APIs
                                    • Part of subcall function 00F54154: _wcslen.LIBCMT ref: 00F54159
                                  • _wcslen.LIBCMT ref: 00FBE7F7
                                  • _wcslen.LIBCMT ref: 00FBE80E
                                  • _wcslen.LIBCMT ref: 00FBE839
                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FBE844
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$ExtentPoint32Text
                                  • String ID:
                                  • API String ID: 3763101759-0
                                  • Opcode ID: e81dcd1fc68ef9dc777d541a4795c259c75358919509565c213208c021bf18c0
                                  • Instruction ID: 6cdef203ff95a3ff45f973bdffae6a82db357b59df80349adfa44ffdcdf4b031
                                  • Opcode Fuzzy Hash: e81dcd1fc68ef9dc777d541a4795c259c75358919509565c213208c021bf18c0
                                  • Instruction Fuzzy Hash: D221D671D00614AFDB119FA9CD81BEEB7F8EF45360F148065F908AB281DB74DE419BA2
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00FBDCC1
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00FBDCCF
                                  • Process32NextW.KERNEL32(00000000,?), ref: 00FBDCEF
                                  • CloseHandle.KERNEL32(00000000), ref: 00FBDD9C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: b86e70ca7746d76b7fb1b987e8f2948fc740db092274e6aeea96bdb7fc24df0f
                                  • Instruction ID: 226e4f866a5a833b902d475f7b7c078f519f6206440d5f5f11279cfefd386b6d
                                  • Opcode Fuzzy Hash: b86e70ca7746d76b7fb1b987e8f2948fc740db092274e6aeea96bdb7fc24df0f
                                  • Instruction Fuzzy Hash: 60319F725083449FD301EF60DC85BAFBBF8AF99350F04092DF981861A1EB759948EB92
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • GetCursorPos.USER32(?), ref: 00FE9960
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FE9975
                                  • GetCursorPos.USER32(?), ref: 00FE99BD
                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00FE99F3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                  • String ID:
                                  • API String ID: 2864067406-0
                                  • Opcode ID: d20ac30ecd12ef9dff6b92d8e32f41fa704608bf70e0768b3109846e7a08dbdb
                                  • Instruction ID: e2873153abdfa099a3e86df53bfc3fba42f87fed25c669772538ca7c2169e0df
                                  • Opcode Fuzzy Hash: d20ac30ecd12ef9dff6b92d8e32f41fa704608bf70e0768b3109846e7a08dbdb
                                  • Instruction Fuzzy Hash: 8621E131500058EFCB258F95CC89EEE7BB5FB0A360F10415AF9054B162D7759E90EB60
                                  APIs
                                  • GetFileAttributesW.KERNEL32(?,00FEDC30), ref: 00FBDABB
                                  • GetLastError.KERNEL32 ref: 00FBDACA
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FBDAD9
                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FEDC30), ref: 00FBDB36
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                  • String ID:
                                  • API String ID: 2267087916-0
                                  • Opcode ID: 2736f72c25ca0d12f8fef29ac436d91150c09556b31010c760148a430a08a6c8
                                  • Instruction ID: 9c93150286f533b08d0b78fe95985c945993fb4f17ee24aea546cdd295d62753
                                  • Opcode Fuzzy Hash: 2736f72c25ca0d12f8fef29ac436d91150c09556b31010c760148a430a08a6c8
                                  • Instruction Fuzzy Hash: 732186315082459F8700DF25C8818ABB7E8EF95364F14461DF8A9C72A2E730DD49EF53
                                  APIs
                                  • GetWindowLongW.USER32(?,000000EC), ref: 00FE3169
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE3183
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE3191
                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FE319F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesLayered
                                  • String ID:
                                  • API String ID: 2169480361-0
                                  • Opcode ID: 450d7915198e0ad9c05c112caadb545e1fc855a0cf9fefd086403184d8d049b3
                                  • Instruction ID: a82e1d563efa3d47a2df667f9cc62ce18b38145429ce53accec33fa392b22655
                                  • Opcode Fuzzy Hash: 450d7915198e0ad9c05c112caadb545e1fc855a0cf9fefd086403184d8d049b3
                                  • Instruction Fuzzy Hash: 1221D331608191BFE7049B15CC4CFAA7BA5EF85324F14815CF4668B2D2CB79ED42DB90
                                  APIs
                                    • Part of subcall function 00FB960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FB8199,?,000000FF,?,00FB8FE3,00000000,?,0000001C,?,?), ref: 00FB961B
                                    • Part of subcall function 00FB960C: lstrcpyW.KERNEL32(00000000,?,?,00FB8199,?,000000FF,?,00FB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00FB9641
                                    • Part of subcall function 00FB960C: lstrcmpiW.KERNEL32(00000000,?,00FB8199,?,000000FF,?,00FB8FE3,00000000,?,0000001C,?,?), ref: 00FB9672
                                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00FB81B2
                                  • lstrcpyW.KERNEL32(00000000,?,?,00FB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00FB81D8
                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00FB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00FB8213
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: lstrcmpilstrcpylstrlen
                                  • String ID: cdecl
                                  • API String ID: 4031866154-3896280584
                                  • Opcode ID: 267472a33f1e7f1d44a2e70c8ba87fe1b2901f15c911c00fb22e6acfa9245689
                                  • Instruction ID: 01c0ea85392e01405fd4508678c2f750886f88bcba4964a58ad9ce0de53416e8
                                  • Opcode Fuzzy Hash: 267472a33f1e7f1d44a2e70c8ba87fe1b2901f15c911c00fb22e6acfa9245689
                                  • Instruction Fuzzy Hash: AB11063A200345AFDB145F35CC84ABA77A9FF84390B40402AF906CB250EF759802EB51
                                  APIs
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00FE866A
                                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FE8689
                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FE86A1
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FCC10A,00000000), ref: 00FE86CA
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$Long
                                  • String ID:
                                  • API String ID: 847901565-0
                                  • Opcode ID: de64f23ff197d3b6fc2cf982aa9297dcf05f67ddf29e20a1514012f346ebc41d
                                  • Instruction ID: 2477bdaff0334878cc12104dce1bbc6ff5363b162a9a2b929c084bca5f0299c3
                                  • Opcode Fuzzy Hash: de64f23ff197d3b6fc2cf982aa9297dcf05f67ddf29e20a1514012f346ebc41d
                                  • Instruction Fuzzy Hash: 9111B432A012999FCB10AF69CC44A6A3BA5FB453B4B114724F93DDB2F0DB308D12EB50
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 233391baf4a20e963fc7cb4e57b99de5c58e0dff7d227378457262338fb4f9df
                                  • Instruction ID: 7998203cac995bdde3a3555e02384a56d5c8013c66ce787fb1d1f31d9c02abde
                                  • Opcode Fuzzy Hash: 233391baf4a20e963fc7cb4e57b99de5c58e0dff7d227378457262338fb4f9df
                                  • Instruction Fuzzy Hash: E101F2B360960A7EFAA036786CC5FA7770DDF413B8B310326FA21911D1DA74AC406360
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00FB22D7
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB22E9
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB22FF
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB231A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: f5b6ede5c144707cca76605fa3c539ada3fb67dd5c9dac271fb9b197ccc24ddd
                                  • Instruction ID: d61769792830f74ca65974768b4c748d22b054c81d66fe8dc87fbdd21d55ca4c
                                  • Opcode Fuzzy Hash: f5b6ede5c144707cca76605fa3c539ada3fb67dd5c9dac271fb9b197ccc24ddd
                                  • Instruction Fuzzy Hash: 9811F73AD00218FFEB119BA5CD85FDDBBB8EB08750F240091EA00B7290D771AE10EB94
                                  APIs
                                    • Part of subcall function 00F52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00F52452
                                  • GetClientRect.USER32(?,?), ref: 00FEA890
                                  • GetCursorPos.USER32(?), ref: 00FEA89A
                                  • ScreenToClient.USER32(?,?), ref: 00FEA8A5
                                  • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00FEA8D9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Client$CursorLongProcRectScreenWindow
                                  • String ID:
                                  • API String ID: 4127811313-0
                                  • Opcode ID: ed3716d0810948b9a2dc2dca53a468349dc2e59ec2948b25ab75f60020a84652
                                  • Instruction ID: 303ff627f8cd9ec09d2929c20c145fd584cd2dbe8e3e50c30d89482b8bb916f8
                                  • Opcode Fuzzy Hash: ed3716d0810948b9a2dc2dca53a468349dc2e59ec2948b25ab75f60020a84652
                                  • Instruction Fuzzy Hash: 3211633290019AEFDF14EF99D8859EE77B8FB04310F000452F912E6150D734BA82EBA2
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00FBEA29
                                  • MessageBoxW.USER32(?,?,?,?), ref: 00FBEA5C
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FBEA72
                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FBEA79
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 2880819207-0
                                  • Opcode ID: 495a66e6585a463054b84835296717f471d01f1333b774e1af2f60bdb371fabe
                                  • Instruction ID: ca77a5d2e0b41b4c8c392b97f1a60c7d885a64338d88203b500f5477938410aa
                                  • Opcode Fuzzy Hash: 495a66e6585a463054b84835296717f471d01f1333b774e1af2f60bdb371fabe
                                  • Instruction Fuzzy Hash: 6D114E76D0025CBFD711EFA89C45ADF7FADAB45320F148216F824D7280D2B9CD049BA1
                                  APIs
                                  • CreateThread.KERNEL32(00000000,?,00F7D389,00000000,00000004,00000000), ref: 00F7D5A8
                                  • GetLastError.KERNEL32 ref: 00F7D5B4
                                  • __dosmaperr.LIBCMT ref: 00F7D5BB
                                  • ResumeThread.KERNEL32(00000000), ref: 00F7D5D9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                                  • String ID:
                                  • API String ID: 173952441-0
                                  • Opcode ID: 98db9bc1bedb1756b70d369268e3967264360ac9e1be51fb5a6f2b3ac7b4b03b
                                  • Instruction ID: 4f8c625f6041d0fe25270728eb9b367d884320122e7901798d1b15827199bd53
                                  • Opcode Fuzzy Hash: 98db9bc1bedb1756b70d369268e3967264360ac9e1be51fb5a6f2b3ac7b4b03b
                                  • Instruction Fuzzy Hash: D001D6728012047FDB206FA5DC45B9A7B79DF81334F54821AF92C861E0DF708800E6A2
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F57759
                                  • GetStockObject.GDI32(00000011), ref: 00F5776D
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F57777
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CreateMessageObjectSendStockWindow
                                  • String ID:
                                  • API String ID: 3970641297-0
                                  • Opcode ID: 2fd458b44bcf4cf2be48f7c1bf2f1409a8babd67d2e74fdf4a7cb1fd5f33b817
                                  • Instruction ID: 2666040b2a54d4a0fd79057e41a4b5984e9c3ace941cb0634855dde5f78ffcbc
                                  • Opcode Fuzzy Hash: 2fd458b44bcf4cf2be48f7c1bf2f1409a8babd67d2e74fdf4a7cb1fd5f33b817
                                  • Instruction Fuzzy Hash: F511877250664DBFEF126F90FC84EEABB69EF083A5F010105FE1496110C7359C60BBA0
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00F73EE6
                                    • Part of subcall function 00F73E33: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F73E62
                                    • Part of subcall function 00F73E33: ___AdjustPointer.LIBCMT ref: 00F73E7D
                                  • _UnwindNestedFrames.LIBCMT ref: 00F73EFB
                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F73F0C
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00F73F34
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                  • String ID:
                                  • API String ID: 737400349-0
                                  • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                  • Instruction ID: 03f9bb3f5769af3671a4a4a9b329b6a64893430e00a7bbf9fa212c587de0cbf0
                                  • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                  • Instruction Fuzzy Hash: 59014C32500149BBDF125E95CC42EEB3F69EF88754F04801AFE1CA6121C736E961FBA2
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00F833AA,00000364,00000000,00000000,00000000,?,00F8361B,00000006,FlsSetValue), ref: 00F83435
                                  • GetLastError.KERNEL32(?,00F833AA,00000364,00000000,00000000,00000000,?,00F8361B,00000006,FlsSetValue,00FF3260,FlsSetValue,00000000,00000364,?,00F831D6), ref: 00F83441
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F833AA,00000364,00000000,00000000,00000000,?,00F8361B,00000006,FlsSetValue,00FF3260,FlsSetValue,00000000), ref: 00F8344F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 78d05bdbc91ee3b6320e5a62e796eefbbdf7bbfbcb49daefd640f0a0eb7c63be
                                  • Instruction ID: 02090d3e84bd79a9761e453d3bdd1df6a482d19044395444454031caf26227db
                                  • Opcode Fuzzy Hash: 78d05bdbc91ee3b6320e5a62e796eefbbdf7bbfbcb49daefd640f0a0eb7c63be
                                  • Instruction Fuzzy Hash: 2001AC32A02226EBD732DE7DAC84AA67758AF45F717200620F959DB160D725D901D7E0
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FB7D0E
                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FB7D26
                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FB7D3B
                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FB7D59
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Type$Register$FileLoadModuleNameUser
                                  • String ID:
                                  • API String ID: 1352324309-0
                                  • Opcode ID: b666a59d01854693b4521acabf9e1669ddaa694f5de41d9df907ac1c2bd0813c
                                  • Instruction ID: 861a2038013228db2ba525f389b5d51c1c8fbb5736e9b9be7094af358850d00d
                                  • Opcode Fuzzy Hash: b666a59d01854693b4521acabf9e1669ddaa694f5de41d9df907ac1c2bd0813c
                                  • Instruction Fuzzy Hash: 631161B1605704AFE720EF25DC48BE2B7FCEF44B40F104529A516DA590D7B0E904AF90
                                  APIs
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FBB5AF,?,00008000), ref: 00FBB9A0
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FBB5AF,?,00008000), ref: 00FBB9C5
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FBB5AF,?,00008000), ref: 00FBB9CF
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FBB5AF,?,00008000), ref: 00FBBA02
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CounterPerformanceQuerySleep
                                  • String ID:
                                  • API String ID: 2875609808-0
                                  • Opcode ID: 66d796fb378338c64d5c91583a105de3e9c75d7a323440394e6d37ea84e190e4
                                  • Instruction ID: bd36ff5be9d7998b30e58f5620e0f16268be25eec940a1ff54cb79a341e7e8da
                                  • Opcode Fuzzy Hash: 66d796fb378338c64d5c91583a105de3e9c75d7a323440394e6d37ea84e190e4
                                  • Instruction Fuzzy Hash: 0C115B31C0166EEBDF009FE6E988BEDBB78FF09711F500095D941B6180CB799650EB55
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00FE8792
                                  • ScreenToClient.USER32(?,?), ref: 00FE87AA
                                  • ScreenToClient.USER32(?,?), ref: 00FE87CE
                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE87E9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClientRectScreen$InvalidateWindow
                                  • String ID:
                                  • API String ID: 357397906-0
                                  • Opcode ID: 288a1da5a595023f658040cadbb405a8bdf19168be85e6c663b68f37100b47e3
                                  • Instruction ID: 8f702f7f04283de3bce65c408b07d0a8d7aaae6400e431da8a6cc87c280f536f
                                  • Opcode Fuzzy Hash: 288a1da5a595023f658040cadbb405a8bdf19168be85e6c663b68f37100b47e3
                                  • Instruction Fuzzy Hash: C7116DB9D0024EEFDB01DFA8C884AEEBBB9FB08310F108066E915E7610D735AA51DF50
                                  APIs
                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FB3655
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB3666
                                  • GetCurrentThreadId.KERNEL32 ref: 00FB366D
                                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FB3674
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: 7ea4b99f71191332d45dbc6195d6047003c1a9ff929a764a9229ff85c9901449
                                  • Instruction ID: 49b0fae8cbeafc85ef3a5387fd61d1a932c720f054d9d4e6bc25c6454c6aedbe
                                  • Opcode Fuzzy Hash: 7ea4b99f71191332d45dbc6195d6047003c1a9ff929a764a9229ff85c9901449
                                  • Instruction Fuzzy Hash: F9E09272541238BBDB201B679C8DFEB7F6DDF52BB1F400019F506DA1909AA4C940EAB0
                                  APIs
                                    • Part of subcall function 00F51ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F51F33
                                    • Part of subcall function 00F51ED9: SelectObject.GDI32(?,00000000), ref: 00F51F42
                                    • Part of subcall function 00F51ED9: BeginPath.GDI32(?), ref: 00F51F59
                                    • Part of subcall function 00F51ED9: SelectObject.GDI32(?,00000000), ref: 00F51F82
                                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FE91E6
                                  • LineTo.GDI32(?,?,?), ref: 00FE91F3
                                  • EndPath.GDI32(?), ref: 00FE9203
                                  • StrokePath.GDI32(?), ref: 00FE9211
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                  • String ID:
                                  • API String ID: 1539411459-0
                                  • Opcode ID: 4dabdaf19f76a788046700633456f4c52861bcb8accd7246ce0e20d25814b481
                                  • Instruction ID: e9262690a45d1eb62fecbad66d88429ffd28ade24f7929b3de9b4ee57a2df499
                                  • Opcode Fuzzy Hash: 4dabdaf19f76a788046700633456f4c52861bcb8accd7246ce0e20d25814b481
                                  • Instruction Fuzzy Hash: 82F05E3114529CBBDF225F95AC0EFCE3F59AF06321F148101FB11690E287BA6521EBE9
                                  APIs
                                  • GetSysColor.USER32(00000008), ref: 00F5216C
                                  • SetTextColor.GDI32(?,?), ref: 00F52176
                                  • SetBkMode.GDI32(?,00000001), ref: 00F52189
                                  • GetStockObject.GDI32(00000005), ref: 00F52191
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Color$ModeObjectStockText
                                  • String ID:
                                  • API String ID: 4037423528-0
                                  • Opcode ID: a1f588517eec2f02f8f99f393ddb5e05e3372f63d1a4ba7ae0ad251db4db2141
                                  • Instruction ID: a000c22f422fb8e6184f471b9804e5d9f917ec99703cbfa6c0eaccdf25dd946b
                                  • Opcode Fuzzy Hash: a1f588517eec2f02f8f99f393ddb5e05e3372f63d1a4ba7ae0ad251db4db2141
                                  • Instruction Fuzzy Hash: B3E06D32640684AEEB215B74AC49BE97B21AB12336F08821AF7BA4C0E0C3724640BB10
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 00FB1EC4
                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00FB1A69), ref: 00FB1ECB
                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FB1A69), ref: 00FB1ED8
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00FB1A69), ref: 00FB1EDF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CurrentOpenProcessThreadToken
                                  • String ID:
                                  • API String ID: 3974789173-0
                                  • Opcode ID: eec8ecf757d6a1127ec59a23efd98dfc21420173ff3bff2ee71d92683d3cba3c
                                  • Instruction ID: 4245a0aa316d1c45c74f24a6c130a87cf6bc9b21c1eb9033b8bc6252645d57e9
                                  • Opcode Fuzzy Hash: eec8ecf757d6a1127ec59a23efd98dfc21420173ff3bff2ee71d92683d3cba3c
                                  • Instruction Fuzzy Hash: 16E08C32A02215ABE7705FA1AD4DB9B3B7CBF407A2F144808B745CE080E674D445EB61
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00FAEBD6
                                  • GetDC.USER32(00000000), ref: 00FAEBE0
                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FAEC00
                                  • ReleaseDC.USER32(?), ref: 00FAEC21
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: 20a02ed40971d6a415a55dd3d7f63da0fef5f4a84488e529cd28bcce0072f618
                                  • Instruction ID: bab535ee9fdefcbb94a89a46501671f8128edf0873a2b5c9e7d97298fba28c5c
                                  • Opcode Fuzzy Hash: 20a02ed40971d6a415a55dd3d7f63da0fef5f4a84488e529cd28bcce0072f618
                                  • Instruction Fuzzy Hash: 29E01AB5800209DFCF50AFA0C848A6DBBB1FB88311F14844AE90AAB610CB398941BF10
                                  APIs
                                  • GetDesktopWindow.USER32 ref: 00FAEBEA
                                  • GetDC.USER32(00000000), ref: 00FAEBF4
                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FAEC00
                                  • ReleaseDC.USER32(?), ref: 00FAEC21
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CapsDesktopDeviceReleaseWindow
                                  • String ID:
                                  • API String ID: 2889604237-0
                                  • Opcode ID: 6add31e3d97386afc50614a7289eff464f2258fd6196b673108fb2b2a21e23e4
                                  • Instruction ID: 0ac791ae8b3808c5bb744fc63e2abde34bf015e01b2171e8337a979119387174
                                  • Opcode Fuzzy Hash: 6add31e3d97386afc50614a7289eff464f2258fd6196b673108fb2b2a21e23e4
                                  • Instruction Fuzzy Hash: A5E01AB5800208DFCF509FB0C84865DBBB1BB48311F148449E909AB610CB395901AF00
                                  APIs
                                    • Part of subcall function 00F54154: _wcslen.LIBCMT ref: 00F54159
                                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FC582E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Connection_wcslen
                                  • String ID: *$LPT
                                  • API String ID: 1725874428-3443410124
                                  • Opcode ID: ed963dfef49d112b236d72293ee54c39e276948f77d316f3c74d3f7b5e5fdb57
                                  • Instruction ID: 52a74c953063a790cf7215ff45abbb93e0e245135fab4aba29e2a59bc7fc6c62
                                  • Opcode Fuzzy Hash: ed963dfef49d112b236d72293ee54c39e276948f77d316f3c74d3f7b5e5fdb57
                                  • Instruction Fuzzy Hash: 32918A75A00205DFCB14CF54C985FAABBB1AF48724F18809DE8099F7A2C735EE85DB50
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 00F7E69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: 1ce59d46c3340d5c174ccbc9d1caa726222b30b6f1648896d77abbe8da8398a8
                                  • Instruction ID: de502631f515daa3a13275dee351974779e135882365e07cfa8af23e24541acd
                                  • Opcode Fuzzy Hash: 1ce59d46c3340d5c174ccbc9d1caa726222b30b6f1648896d77abbe8da8398a8
                                  • Instruction Fuzzy Hash: D4518A61E1850586CB15B714CD053BA3BA4AF147A0FB0C99BE0D9462E8EF348C97BB47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #
                                  • API String ID: 0-1885708031
                                  • Opcode ID: cc5d98c86868becba0739477ac4cdcde5ed2eca1d212ad5beec22b49f538891e
                                  • Instruction ID: c661ff3e17607836add2fe12bfad7e340eedebb72448e90de4ba25e0088463d6
                                  • Opcode Fuzzy Hash: cc5d98c86868becba0739477ac4cdcde5ed2eca1d212ad5beec22b49f538891e
                                  • Instruction Fuzzy Hash: B85144B5904246DFDF25DF28C480AFABBA1EF1A360F244055EC91AB2D0DB749D43EB61
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00F6F6E9
                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F6F702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: fe8bd820edeba4e9404bf9e3463bd9ec2d4bdf45201235a7681f56e9cc371841
                                  • Instruction ID: 8294c556f1e1c4abb48b4f35b3038adc740814630303e1dbb9f756f9fa510a22
                                  • Opcode Fuzzy Hash: fe8bd820edeba4e9404bf9e3463bd9ec2d4bdf45201235a7681f56e9cc371841
                                  • Instruction Fuzzy Hash: A2517772518744ABD320AF10DC86BAFBBE8FF84351F818C4DF6D951191DB39852ACB26
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: BuffCharUpper_wcslen
                                  • String ID: CALLARGARRAY
                                  • API String ID: 157775604-1150593374
                                  • Opcode ID: 4f8579891f88f03673c70a84980011c3f3bced3d299153c9e36a89f7e3e56110
                                  • Instruction ID: 0f922f12ec25391df71fc72ef5727c04a103fe4b057b519b837ab2dd138852c8
                                  • Opcode Fuzzy Hash: 4f8579891f88f03673c70a84980011c3f3bced3d299153c9e36a89f7e3e56110
                                  • Instruction Fuzzy Hash: BB418071E002199FCB04EFA9C8859EEBBB6EF58760F18402AE506E7352D7749D81DF90
                                  APIs
                                  • _wcslen.LIBCMT ref: 00FCDA8D
                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FCDA97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CrackInternet_wcslen
                                  • String ID: |
                                  • API String ID: 596671847-2343686810
                                  • Opcode ID: 19babf11a55fcb21571088c96de0c39b94c541e40444e4fbf505327cd49d7254
                                  • Instruction ID: 50ccb34a9aca0627b50e2d3bbacd251100331c40ff2c0b76d070cb09f483a6a9
                                  • Opcode Fuzzy Hash: 19babf11a55fcb21571088c96de0c39b94c541e40444e4fbf505327cd49d7254
                                  • Instruction Fuzzy Hash: E9315071C0011AABCF05DFA5DD85EEEBFB9FF08350F100029F915A6262DB359916EB54
                                  APIs
                                  • DestroyWindow.USER32(?,?,?,?), ref: 00FE3F80
                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FE3FBB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$DestroyMove
                                  • String ID: static
                                  • API String ID: 2139405536-2160076837
                                  • Opcode ID: 10730c3b786d35754b3d27a05232aac554d4eeece639c2aa2e22a2392b741151
                                  • Instruction ID: 19a5b92c77e20afc96e5f7f76a8afd15add9ae375968e88151edcd9b209d09e8
                                  • Opcode Fuzzy Hash: 10730c3b786d35754b3d27a05232aac554d4eeece639c2aa2e22a2392b741151
                                  • Instruction Fuzzy Hash: 0931B071500684AEDB149F39CC88AFB73B9FF88720F10861DF99987180DA34ED81E760
                                  APIs
                                  • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FE4F7E
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE4F93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: '
                                  • API String ID: 3850602802-1997036262
                                  • Opcode ID: 697ba2b8e1a666888eefc9b283eeb8bb0d3cf7321f541792bf788bb960b6fc33
                                  • Instruction ID: 052ee0656eb5b57d1ff96bdb772440981320b8590ea5202727229773111a1c0f
                                  • Opcode Fuzzy Hash: 697ba2b8e1a666888eefc9b283eeb8bb0d3cf7321f541792bf788bb960b6fc33
                                  • Instruction Fuzzy Hash: D0313775E0138A9FDB14CFAAC880BDABBB5FF49700F10016AE905AB381D771A941DF90
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FE3BDB
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE3BE6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: af719fd09f0f9a3931469f88aceec2a1e5690f00fb7bfe017365825f6c3b35b2
                                  • Instruction ID: 6c866693fabe8114daaeb9f36e49cbb124209de41e17a7c09ae6874a78e8b9f1
                                  • Opcode Fuzzy Hash: af719fd09f0f9a3931469f88aceec2a1e5690f00fb7bfe017365825f6c3b35b2
                                  • Instruction Fuzzy Hash: F911E6716002487FEF219F16CC88EBB37AAEBC43B4F104125F919DB2A0D635DD51A7A0
                                  APIs
                                    • Part of subcall function 00F5771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F57759
                                    • Part of subcall function 00F5771B: GetStockObject.GDI32(00000011), ref: 00F5776D
                                    • Part of subcall function 00F5771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F57777
                                  • GetWindowRect.USER32(00000000,?), ref: 00FE40D9
                                  • GetSysColor.USER32(00000012), ref: 00FE40F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                  • String ID: static
                                  • API String ID: 1983116058-2160076837
                                  • Opcode ID: 9de8cd177e99aa648fb5feaead1bb98147e5edb30a3a4cd585a5efdc26addb85
                                  • Instruction ID: a7d653a2c0c22c39d5324b5b62a5d9a98689d8cd96119a9393b353de2fc89ddd
                                  • Opcode Fuzzy Hash: 9de8cd177e99aa648fb5feaead1bb98147e5edb30a3a4cd585a5efdc26addb85
                                  • Instruction Fuzzy Hash: 36116A72610249AFDF01DFA8CC45AFA7BB8FB08314F000528FD55E3150E675E851EB60
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FCD6DA
                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FCD703
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Internet$OpenOption
                                  • String ID: <local>
                                  • API String ID: 942729171-4266983199
                                  • Opcode ID: 66688bbf1a07b5b0f98928b63676c84b3d65a06a29b4c2187e5539a9aea65d03
                                  • Instruction ID: da0a6cd8d90d528ce001b2547222fe84a07da4d9eb988a168989dea430c02f29
                                  • Opcode Fuzzy Hash: 66688bbf1a07b5b0f98928b63676c84b3d65a06a29b4c2187e5539a9aea65d03
                                  • Instruction Fuzzy Hash: 061191725052267AD7284B669D46FEBBEA8EB127A8F00422EB10A97180D6749840F6F0
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 00FE3E0A
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FE3E19
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: eda3d7e145e596f737c9fc0d0bf62bcfc4fc0966cbc531e8c4d71a32669b0b53
                                  • Instruction ID: 53667c1ff4fabbaa0d4b3f4610462e6148f98ca0743cc87a934fd7fa7642d2fc
                                  • Opcode Fuzzy Hash: eda3d7e145e596f737c9fc0d0bf62bcfc4fc0966cbc531e8c4d71a32669b0b53
                                  • Instruction Fuzzy Hash: 44118F71500248ABEB209E65DC8CAFB37A9EF05378F504714F964971E0C775DC55AB60
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                  • CharUpperBuffW.USER32(?,?,?), ref: 00FB7545
                                  • _wcslen.LIBCMT ref: 00FB7551
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen$BuffCharUpper
                                  • String ID: STOP
                                  • API String ID: 1256254125-2411985666
                                  • Opcode ID: 7ca0a3d73e0c3c2c4e96c7349fb68d411f52faf9bb71dff9fa247f5d871065ae
                                  • Instruction ID: 62c897d0f6c6416d57659bc9adcfea2df68d9e89e0700203ec0d46738b071ee8
                                  • Opcode Fuzzy Hash: 7ca0a3d73e0c3c2c4e96c7349fb68d411f52faf9bb71dff9fa247f5d871065ae
                                  • Instruction Fuzzy Hash: 4E01C832D1832A4BCB21BEBECC409FF77B5BBA4760B080524E81196191FB34D904EA50
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FB25DC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 624084870-1403004172
                                  • Opcode ID: 981d07df4fd3654249bcfbf5febe5357adcc9ed1a67397c465ebb181e07d5253
                                  • Instruction ID: 662accd0b8b18e37e99083e4f4222136aac531c1335180778a2b89a589d7ef04
                                  • Opcode Fuzzy Hash: 981d07df4fd3654249bcfbf5febe5357adcc9ed1a67397c465ebb181e07d5253
                                  • Instruction Fuzzy Hash: 6C012871A00119ABCB24EB65CC61DFE7774BF56320B080609B9625B2D6EE34990CBA60
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FB24D6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 624084870-1403004172
                                  • Opcode ID: 8a5e101e0e580b119caaf01996524b31b3059399011b0b1f02f45ac43f2f0380
                                  • Instruction ID: 648fdc06aa9d81eca4e4ec4ec95f8cb08ee9be9203d86f0dc1b79b3e0e05709b
                                  • Opcode Fuzzy Hash: 8a5e101e0e580b119caaf01996524b31b3059399011b0b1f02f45ac43f2f0380
                                  • Instruction Fuzzy Hash: 7F01F771A00109ABCB28FBA5CD51EFF77B8AF15300F140019794267287DA589E0CEA71
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FB2558
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 624084870-1403004172
                                  • Opcode ID: 4b01e6df6597ae7689277f6e616c0ad6e37414424a5430c59240d8bf0592d043
                                  • Instruction ID: 225af2d8d587b5369caae41942f898af98460a685e2b48cfb2e2222c7bc8949a
                                  • Opcode Fuzzy Hash: 4b01e6df6597ae7689277f6e616c0ad6e37414424a5430c59240d8bf0592d043
                                  • Instruction Fuzzy Hash: 57012671A00109A7CB21EBA5CD52FFF73B8AF15700F180019794277282EA689F0CBA71
                                  APIs
                                    • Part of subcall function 00F5B25F: _wcslen.LIBCMT ref: 00F5B269
                                    • Part of subcall function 00FB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4559
                                  • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FB2663
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ClassMessageNameSend_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 624084870-1403004172
                                  • Opcode ID: 58fd34c8c867f2d9584d8b64b930d4410bda0110188a424a2e52f9fe968f8df7
                                  • Instruction ID: 24b4851e8c80e8a4d1747c0397e626e7feb795bf0081953ba26ba65617d0d931
                                  • Opcode Fuzzy Hash: 58fd34c8c867f2d9584d8b64b930d4410bda0110188a424a2e52f9fe968f8df7
                                  • Instruction Fuzzy Hash: CEF02D71A40119A7C715F7A5CC91FFF7778BF01710F040519B962672C7DB68580CAA60
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: 3, 3, 16, 1
                                  • API String ID: 176396367-3042988571
                                  • Opcode ID: a253a66bb191c31c4a4bca7f6c22282d59651d0bf3fa0ff3b6e25eb89d542d4e
                                  • Instruction ID: 2bcd42fedf3ae970fc2fa45567c876a4b4491362b5fd5d768c316e4b24fa0438
                                  • Opcode Fuzzy Hash: a253a66bb191c31c4a4bca7f6c22282d59651d0bf3fa0ff3b6e25eb89d542d4e
                                  • Instruction Fuzzy Hash: 52E0230370135021933132795CC157B7286DFC5360714185BFD85C6375FB889CA17391
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FB13B3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Message
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 2030045667-4017498283
                                  • Opcode ID: 907f3a9341b92e7d6bcab6a2651ee4bea995047bc9253936fb1ed7c14c8a6c09
                                  • Instruction ID: 62a9295ad413e24947d5275365628635729f70a14055a3b7e0c88f1323ae14f6
                                  • Opcode Fuzzy Hash: 907f3a9341b92e7d6bcab6a2651ee4bea995047bc9253936fb1ed7c14c8a6c09
                                  • Instruction Fuzzy Hash: BDE0D83224875827D21027956C03FC976848F04B52F10442BF74C698C34EE66440739A
                                  APIs
                                    • Part of subcall function 00F6FAE2: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F71102,?,?,?,00F5100A), ref: 00F6FAE7
                                  • IsDebuggerPresent.KERNEL32(?,?,?,00F5100A), ref: 00F71106
                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F5100A), ref: 00F71115
                                  Strings
                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F71110
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                  • API String ID: 55579361-631824599
                                  • Opcode ID: c3c33d6ded7589c145695a44fbb95665bc6b173fd374fddcb5ee9d565f71d33c
                                  • Instruction ID: 43000aa6f8fab9c0a31eb6ffca0c70349441371007984b4ed4409c696548b6ca
                                  • Opcode Fuzzy Hash: c3c33d6ded7589c145695a44fbb95665bc6b173fd374fddcb5ee9d565f71d33c
                                  • Instruction Fuzzy Hash: 0EE09B706003414BD3309F68E8443427BF8BF04300F40CD5DE946CA692EBF4D448EB92
                                  APIs
                                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FC3905
                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FC391A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: Temp$FileNamePath
                                  • String ID: aut
                                  • API String ID: 3285503233-3010740371
                                  • Opcode ID: 8a0bf206bddb9c0c81a70e8731cb41e9d0684259704d236c2f03767ce4b7dcb0
                                  • Instruction ID: 525f2bc082695a1a8f34f0e48514341650019cf2c283c981dfd4ec6885687efc
                                  • Opcode Fuzzy Hash: 8a0bf206bddb9c0c81a70e8731cb41e9d0684259704d236c2f03767ce4b7dcb0
                                  • Instruction Fuzzy Hash: 62D05E729003286BDA20A7A59C4EFCB7A6CDB44610F4002A1BB959A091DAB4DA85CB90
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE2CCB
                                  • PostMessageW.USER32(00000000), ref: 00FE2CD2
                                    • Part of subcall function 00FBF1A7: Sleep.KERNEL32 ref: 00FBF21F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: e8b9b109a85d359b3c6d40afc6b2cfa738611783b34c755abd040edb3dddfc52
                                  • Instruction ID: 66b7ce234689749960f6f553cf61a8154189603a04fe7a5328ac6a9aca018c0f
                                  • Opcode Fuzzy Hash: e8b9b109a85d359b3c6d40afc6b2cfa738611783b34c755abd040edb3dddfc52
                                  • Instruction Fuzzy Hash: B5D012353C13947BF668B771DD4FFC67A54BB54B14F4008167745AE1D0C9E46800DA58
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE2C8B
                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FE2C9E
                                    • Part of subcall function 00FBF1A7: Sleep.KERNEL32 ref: 00FBF21F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 26a98e45175ac91d3f7a8ec9cdf5bc8071cdd6599df9b69e24d1bc8a209b0327
                                  • Instruction ID: b231a78bbe94daa1b7f058ed7403509c4799e7abafde9ae751733ad327c37ea4
                                  • Opcode Fuzzy Hash: 26a98e45175ac91d3f7a8ec9cdf5bc8071cdd6599df9b69e24d1bc8a209b0327
                                  • Instruction Fuzzy Hash: CDD012393C4394BBF668B771DD4FFD67A54BB50B14F0008167749AE1D0C9E46800DA54
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F8C233
                                  • GetLastError.KERNEL32 ref: 00F8C241
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F8C29C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2126997962.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                                  • Associated: 00000002.00000002.2126958348.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000000FED000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127098744.0000000001013000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127166188.000000000101D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000002.00000002.2127191818.0000000001025000.00000002.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_f50000_AutoIt3.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: 906c61fcf2011c3e372fa8b2757ce922fffba455c652206404899642b1cc7ed3
                                  • Instruction ID: c72edace2099e24900a100bba0a5018cadb73034231114dc6d6fffd41794095d
                                  • Opcode Fuzzy Hash: 906c61fcf2011c3e372fa8b2757ce922fffba455c652206404899642b1cc7ed3
                                  • Instruction Fuzzy Hash: 3C41B831A00246EFDF21AFE4CC44BEA7BA5EF45320F158169E859AB1E1DB308D01E7B1