Edit tour

Windows Analysis Report
Rage.exe

Overview

General Information

Sample name:	Rage.exe
Analysis ID:	1577496
MD5:	ca817109712a3e97bf8026cdc810743d
SHA1:	961478cdfe1976d5cc30ceca7db9b3552b8aaf09
SHA256:	6badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059
Tags:	18521511316185215113209bulletproofexeGuLoaderuser-abus3reports
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found API chain indicative of sandbox detection

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Rage.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\Rage.exe" MD5: CA817109712A3E97BF8026CDC810743D)

AutoIt3.exe (PID: 6436 cmdline: "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x MD5: 0ADB9B817F1DF7807576C2D7068DD931)

cleanup

Code function: 0_2_004051A7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051A7

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0028F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_0028F6C7

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0028F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_0028F45C

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0027A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_0027A54A

Source: AutoIt3.exe, 00000001.00000003.2111337921.0000000003AA3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES-#

memstr_4591a5ae-0

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_002A9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_002A9ED5

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00284678: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

1_2_00284678

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00271A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00271A91

Source: C:\Users\user\Desktop\Rage.exe	Code function: 0_2_004031CE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004031CE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0027F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_0027F122

Source: C:\Users\user\Desktop\Rage.exe	Code function: 0_2_004049E6	0_2_004049E6
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00238037	1_2_00238037
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00232007	1_2_00232007
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0022E0BE	1_2_0022E0BE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0021E1A0	1_2_0021E1A0
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0021225D	1_2_0021225D
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0024A28E	1_2_0024A28E
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_002322C2	1_2_002322C2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0022C59E	1_2_0022C59E
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0029C7A3	1_2_0029C7A3
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0024E89F	1_2_0024E89F
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0028291A	1_2_0028291A
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00246AFB	1_2_00246AFB
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00278B27	1_2_00278B27
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0023CE30	1_2_0023CE30
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00247169	1_2_00247169
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_002A51D2	1_2_002A51D2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00219240	1_2_00219240
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00219499	1_2_00219499
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00231724	1_2_00231724
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00231A96	1_2_00231A96
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00219B60	1_2_00219B60
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00237BAB	1_2_00237BAB
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00231D40	1_2_00231D40
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00237DDA	1_2_00237DDA

Source: Joe Sandbox View

Dropped File: C:\ProgramData\wvtynvwe\AutoIt3.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: String function: 0022FD60 appears 40 times
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: String function: 00230DC0 appears 46 times

Source: Rage.exe, 00000000.00000002.2056097910.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs Rage.exe

Source: Rage.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@4/6@0/0

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0028410F GetLastError,FormatMessageW,

1_2_0028410F

Source: C:\Users\user\Desktop\Rage.exe	Code function: 0_2_004031CE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_004031CE
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0027194F AdjustTokenPrivileges,CloseHandle,	1_2_0027194F
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00271F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_00271F53

Source: C:\Users\user\Desktop\Rage.exe

Code function: 0_2_00404473 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404473

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0029AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0029AFDB

Source: C:\Users\user\Desktop\Rage.exe

Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,

0_2_004020CB

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00283923 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00283923

Source: C:\Users\user\Desktop\Rage.exe

File created: C:\Users\user\AppData\Local\Temp\nsmE8C2.tmp

Jump to behavior

Source: Rage.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Rage.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Rage.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Rage.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Rage.exe

File read: C:\Users\user\Desktop\Rage.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Rage.exe "C:\Users\user\Desktop\Rage.exe"
Source: C:\Users\user\Desktop\Rage.exe	Process created: C:\ProgramData\wvtynvwe\AutoIt3.exe "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
Source: C:\Users\user\Desktop\Rage.exe	Process created: C:\ProgramData\wvtynvwe\AutoIt3.exe "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x	Jump to behavior

Source: C:\Users\user\Desktop\Rage.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Rage.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Rage.exe

Static file information: File size 1401522 > 1048576

Source: Rage.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00215D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00215D78

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00260332 push edi; ret	1_2_00260333
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00230E06 push ecx; ret	1_2_00230E19
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0022DBFA push cs; iretd	1_2_0022DBFD
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0022DC00 push eax; iretd	1_2_0022DC01

Source: C:\Users\user\Desktop\Rage.exe

File created: C:\ProgramData\wvtynvwe\AutoIt3.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Rage.exe

File created: C:\ProgramData\wvtynvwe\AutoIt3.exe

Jump to dropped file

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_002A25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_002A25A0
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0022FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_0022FC8A

Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Rage.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-97217

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\Rage.exe	Code function: 0_2_00406245 FindFirstFileA,FindClose,	0_2_00406245
Source: C:\Users\user\Desktop\Rage.exe	Code function: 0_2_0040570A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040570A
Source: C:\Users\user\Desktop\Rage.exe	Code function: 0_2_004026F8 FindFirstFileA,	0_2_004026F8
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0028A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0028A0FA
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0027E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0027E387
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0028A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_0028A488
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_002865F1 FindFirstFileW,FindNextFileW,FindClose,	1_2_002865F1
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0024C642 FindFirstFileExW,	1_2_0024C642
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00287248 FindFirstFileW,FindClose,	1_2_00287248
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00287247 FindFirstFileW,	1_2_00287247
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_002872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_002872E9
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0027D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0027D836
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_0027DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0027DB69
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00289F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00289F9F

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00215D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00215D78

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Rage.exe

API call chain: ExitProcess graph end node

graph_0-3316

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0028F3FF BlockInput,

1_2_0028F3FF

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00213312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00213312

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00215D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00215D78

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00235078 mov eax, dword ptr fs:[00000030h]

1_2_00235078

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00272093 GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

1_2_00272093

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_002429B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_002429B2
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00230BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00230BCF
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00230D65 SetUnhandledExceptionFilter,	1_2_00230D65
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00230FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00230FB1

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

1_2_00271A91

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00213312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00213312

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0027BB02 SendInput,keybd_event,

1_2_0027BB02

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0027EBB3 mouse_event,

1_2_0027EBB3

Source: C:\Users\user\Desktop\Rage.exe

Process created: C:\ProgramData\wvtynvwe\AutoIt3.exe "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x

Jump to behavior

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_002713F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_002713F2

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00271EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00271EF3

Source: AutoIt3.exe, 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmp, AutoIt3.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: AutoIt3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_00230A28 cpuid

1_2_00230A28

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0026E59A GetLocalTime,

1_2_0026E59A

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0026E5F8 GetUserNameW,

1_2_0026E5F8

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Code function: 1_2_0024BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_0024BCF2

Source: C:\Users\user\Desktop\Rage.exe

Code function: 0_2_004031CE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031CE

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe, 00000001.00000003.2107581440.0000000001382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: AutoIt3.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8

Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00292163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00292163
Source: C:\ProgramData\wvtynvwe\AutoIt3.exe	Code function: 1_2_00291B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_00291B61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	31 Input Capture	2 System Time Discovery	Remote Services	31 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	21 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	12 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	16 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Rage.exe	53%	ReversingLabs	Win32.Trojan.Privateloader
Rage.exe	100%	Avira	HEUR/AGEN.1355636
Rage.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\wvtynvwe\AutoIt3.exe	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	Rage.exe, 00000000.00000002.2056097910.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000001.00000000.2055005198.00000000002E5000.00000002.00000001.01000000.00000005.sdmp, AutoIt3.exe.0.dr	false	high
http://upx.sf.net	Amcache.hve.1.dr	false	high
http://nsis.sf.net/NSIS_Error	Rage.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	Rage.exe	false	high
https://www.autoitscript.com/autoit3/	AutoIt3.exe.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577496
Start date and time:	2024-12-18 14:26:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Rage.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@4/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Rage.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\wvtynvwe\AutoIt3.exe	copia111224mp.hta	Get hash	malicious	Unknown	Browse
	FX6KTgnipP.exe	Get hash	malicious	FormBook	Browse
	uhbrQkYNzx.exe	Get hash	malicious	FormBook	Browse
	qPLzfnxGbj.exe	Get hash	malicious	FormBook	Browse
	ngPebbPhbp.exe	Get hash	malicious	RHADAMANTHYS	Browse
	FS04dlvJrq.exe	Get hash	malicious	FormBook	Browse
	M1Y6kc9FpE.exe	Get hash	malicious	FormBook	Browse
	mJIvCBk5vF.exe	Get hash	malicious	FormBook	Browse
	lcbF0sywlU.exe	Get hash	malicious	FormBook	Browse

Created / dropped Files

C:\ProgramData\435687634234262.exe

Download File

Process:	C:\ProgramData\wvtynvwe\AutoIt3.exe
File Type:	data
Category:	dropped
Size (bytes):	622080
Entropy (8bit):	7.9997308156842095
Encrypted:	true
SSDEEP:	12288:VmDWsllXiXi1W6/qvdYO0q2OIaFdI0bYkqmYdGGWQYt:VmVlXiAO+nOIaHYdGac
MD5:	DBF76F233EFEB642BDF11A19274F1024
SHA1:	DE7704F63F2D59545348665A81CF8C04DCE3B5E4
SHA-256:	268ADE4ED11213FAFAD41161A2A3465972269EF1132095E798FE1E59FF15054C
SHA-512:	35A09918FDC969380D2F225F0FCE9944290D3B2F6443A8B9F0B0D3551B5F3AEDCA78BFBC53FA59596C28316D910E073A09E0855BDA16508DBBBEA8EE05E450F1
Malicious:	false
Reputation:	low
Preview:	..l...~I...LJ..2....9N'...\|.B0.q...../...k......N..1/.M S...GaU.x....+..2C..j..#7..W.(.j...";..J._%.....W...<)..u..t8.~L.+...2G[......x....9&.G..5.b..k./..7N...).?..Z....3.....Q...a.(`..._f-.n......A.7.5..;..[..;.gA.f../t.#b....%..O:....=...qu.EE......p...>Dym.5.....&..a..a....E........ p....Y.....79.?.....u...S......H..Z.....=WGM..9...[U..u$H0.."pC.?.Y...U.*....I'.N._R,.fo5..:......Yr~...'.{2%......+.5..e.Z...Jmp.....Tz.vL.....k^ D..u.m!].wA......7....A..Hnq...f7..._...]r.......Oo..Q..T...Y.....7<H.....L..T...gajT.s{.}....P.>.A. ....J..7.E....m)(.$.w.;..~....B..7w2.....n..m.......c.......N..vi.k...2....U...7\...)Q.6..O.....Y..$......Wk.a...os.f....i..6.7.k.i..{x.....V!.....qC9e.~_..-..W..3<.Pt3..{......A....1m...N...+g.......5.b2........a.!...Tx.MJ ..>..V.....T.F.h.`..NN..{...x.8..\|.(.~...>.$..I..].....X.....C.\|..\|m.s..xy.n..&.$`.x......mZ.7..c.....sLs<\|8.p..=h.F.x[._^. 2W.2.?q)m.n.#.m...........1I..\|..6m.IG3F`.>....m...<8.?..@.{...

C:\ProgramData\wvtynvwe\AutoIt3.exe

Download File

Process:	C:\Users\user\Desktop\Rage.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.629681466265794
Encrypted:	false
SSDEEP:	24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
MD5:	0ADB9B817F1DF7807576C2D7068DD931
SHA1:	4A1B94A9A5113106F40CD8EA724703734D15F118
SHA-256:	98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
SHA-512:	883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: copia111224mp.hta, Detection: malicious, Browse Filename: FX6KTgnipP.exe, Detection: malicious, Browse Filename: uhbrQkYNzx.exe, Detection: malicious, Browse Filename: qPLzfnxGbj.exe, Detection: malicious, Browse Filename: ngPebbPhbp.exe, Detection: malicious, Browse Filename: FS04dlvJrq.exe, Detection: malicious, Browse Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse Filename: mJIvCBk5vF.exe, Detection: malicious, Browse Filename: lcbF0sywlU.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................\|....P..P............N..X&...0..Pv...........................C..........@............................................text...\|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\ProgramData\wvtynvwe\clxs.a3x

Download File

Process:	C:\Users\user\Desktop\Rage.exe
File Type:	data
Category:	dropped
Size (bytes):	250864
Entropy (8bit):	7.999388677232713
Encrypted:	true
SSDEEP:	6144:ZJF8chnNsqla1cCrZlnrfH59NHE28pqRXoYWHnTfE:7FfhnNq19ND7HE28sWdno
MD5:	0F310D0DD203531155EDB3816D108F7B
SHA1:	5BB3EED68D98FE1D6B58593A9F94DD836910141B
SHA-256:	49EB3055447DB8CE038E572FF2A8B48234E14590064EFB9857BBF4779BCCBCC0
SHA-512:	BE820A8350304B355253B854B911AC5ECD6A6A544D3F71FE1093316214BDF2DE40DE38E8910499733423983F61DE2C64E95FEF5099C0852A68AC7D08994954FB
Malicious:	false
Reputation:	low
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..^,+.W.9>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g....{.q_.1N(...+.................."..O...."..OkC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.g@6.[..G...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. X....^+.B..=H.{.X......U...+...U+.......O....B).Om.......zx.5...x...(nU.j....06.f".].X.:..).....H.}....8....tX.....=.....`.'.....?...".i('.......y.}......}...u...h.C.]2.:.....fZ:..q....D..e...o........>l..Xs.....y@$..f.....c...+.n.j(...,jJ.k.;..........r.5.m}jc'l5V.o.^....H...u.h..[c...E].O..\|...}..xf.u....X.J.n..%..K..C...o?4.._?......[9..~....W.N....[5o%....$..U.c.o...:6.J.....aT....\|e.<N.4.U..0..".[....Z.A....:....:8.=...?M.....-....]..<....{)`..`..m#b`.E.g[_..?.A...`W..~x....%&>..q.....i.iz.z.5@^.j.%.-..86.Q7Gk...j..%..s.).(3.S.%}e..-..S'...}fE.nQJ.}...-..JZ

C:\ProgramData\wvtynvwe\wercejx.a3x

Download File

Process:	C:\Users\user\Desktop\Rage.exe
File Type:	data
Category:	dropped
Size (bytes):	810
Entropy (8bit):	7.7008570368813745
Encrypted:	false
SSDEEP:	24:MydjnKgYFhOZsLyFze7F9PxLsPtTuPagzj:MydzZGycDq5uyg
MD5:	D05B9A6C0174AD4C6A05720C2D44501B
SHA1:	CABE5CD3BD6EECA163D4C95C43CE5026BA277753
SHA-256:	153F2D0E2960CA4D2308A6EC33DF33C5F05ACFA1D99445C75B9AE14539DB2232
SHA-512:	BAA048D004408F0297CA9DDEBBD391211925EA6F166BFFCD77DB9932AF8717EC11E3963C41B7FCA8CF34961884CCC20B491268F3B22C92D59DD134E8DB0CE2C1
Malicious:	false
Reputation:	low
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M........+..M...F.f.q..^,+.W.9>.r.nw.i@.../9...w.6..;..$dr..yO.n....-.....qH..O....?@....L.9"...]g....x.._.1N(...+...................].......]..kC.R......%x....}...q..U-...(....%....V..?p.h.....l)".N.#.R......v.g@6.[..G...I.h...%D'7...Y.....6(..)w....+...........7.`....8.u....h..0p.R%. ....^,.B..=H.{.X............6.......?.......!...m.....?...x.5...l.s.l......u.!..r..~....%....\|........(...,..#..........`.]9.....q;..@T.(<.....>.`.S.P@....uC !l..;..&.. ..7...0i.......x..}.U.-..X.L.j.c8\|#.......j..3..........G\|.~.hS.u$..Z.......6.w....hI..ent...]t..XD......<.....\|......l..5.M...o.1Ur.......:.i....\|..ex.5.Xx..-.\._Nq.j......!..W..!.s.H?....0I.F.kF...,.....AU3!EA06

C:\ProgramData\wvtynvwe\werviuybe.erv

Download File

Process:	C:\Users\user\Desktop\Rage.exe
File Type:	data
Category:	dropped
Size (bytes):	622080
Entropy (8bit):	7.999725875866043
Encrypted:	true
SSDEEP:	12288:DchkQgw6LFW6dEfmeW7ixERPvLYP7hNaWTZmarRsR4o60h/fKJmk8SP8:4hyblaf2iivi3a4c49yYP8
MD5:	160F088E0C2CFC575144BAF3C6490757
SHA1:	BA3B72EFA7AC73BC530B512103FC4F35B78B5D9D
SHA-256:	0D65174F3D8E4D8BC12FAD4110930C1EB4E711285366CB68A703684B0325D5E3
SHA-512:	AA1ACC4F9B8ADE2FA821607C09BC61B539551AD87F9CE2180A84FD80FBC8E48D7669DE35516A40D2609F9972A27816FBFBB983EFBE7E8EB8519913BB437CC468
Malicious:	false
Preview:	..yxV.$E......v^T1..R.r.4cS...\~.....d......!c.`K$..71..I.%I@:...D.5m....g..........B.in;y:.....&...6$J..Wb..v.<.XU.....P.......FH..kW}>\|"..<s\|f.......YO..'... ...l.q.}....U.b._...{C..=....^.~U......7iX.8.j!61.m^.K..H}.S.%u... \|BeN>.t. ........%j...I..Ab..O)..r.-.K...l.e(..-+ Y.......:6........V....o..Y:.6...h6~0.1.S.......[zg...e...r]...!.D.t.a.Ey\..&. ACy/D...n..6.M.n........~.u.^u.q4.$..s.N.r..q....... C.....\|..0...V...4....H&<H.Iqrn.3P..%d....>...y..\|ZL..B..P.I....../.....[.c..w.q.`k......~....(.bx.$$L.H..7N...?..hf........,.B...v.mI.0...0...mD......(_.GK..@...C..G<"$..b. ..d.s.".-.1...;DG..7.t..@(.-.....I.Q$.%.(.2...X.P.N.3%...).\|=.gb.n...K.;.3.f..2.L%......./..e..j1.5y.0.u..>F...K0.....}#&....o..=.u..v.TW.....g..^V...M.k.%]....C.K..g.q.9....G&...V..c...R..)..Pcry..n..<.:U...9Vy.(..O...J.5.&.Y.C.k..Ex...K..j!.i..&Y.....X.M.1...0l.3...:...`.v..b\|..e... {\|......J..y[l.....?.*.... .;6....5.2..E..x...{....9.U...q..3.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\ProgramData\wvtynvwe\AutoIt3.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.418976133379459
Encrypted:	false
SSDEEP:	6144:ESvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:PvloTMW+EZMM6DFyn03w
MD5:	30245D87ADCE3C0A0481509D7ABBD162
SHA1:	F95EDD9A91212EB432F6427F04FE9CDCB4D5E611
SHA-256:	AF43A9CDB797A46EA4F05E77572DE743BE4912F9F2A4A12AF77FE41FB3B7A371
SHA-512:	D78905DE20A8DFFE3879F7A17CD87D0784817E7E3E2A91D853B8E7DD26EB2BF0A31602354E2AE161BCEEBA8A0FD9EEB8781034B322E6B63DB1452F1688BB8C73
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ.?.PQ...............................................................................................................................................................................................................................................................................................................................................W(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.995122468475881
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Rage.exe
File size:	1'401'522 bytes
MD5:	ca817109712a3e97bf8026cdc810743d
SHA1:	961478cdfe1976d5cc30ceca7db9b3552b8aaf09
SHA256:	6badd865383f71c6d26322fcf3b6b94a5a511981fcb04c8452ff20c8528e0059
SHA512:	de1c67f87a14f7f3c1416c253a117970974c82e87f94a3b176980edfef0164f2dd4621d81ca0cae95d794a2998e325137ce76ebccc5121ab005ca391efcbec3e
SSDEEP:	24576:/cHSfhDMKnkUTgZGLvbPKqCRrLA3FcFfhk1Llhyblaf2iivi3a4c49yYPp:iSZYjUaQvbJQgFcoplMBu2/vvj4cep
TLSH:	7A5533179D79F447CF504DBBC6B8633A5EC48AD8D8F9DB4B47C9D21278E1A27842C888
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L...^..Y.................b....9....

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4031ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x597FCC5E [Tue Aug 1 00:33:34 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F4Ch], eax
je 00007F17546EC7E3h
push ebx
call 00007F17546EF89Ah
cmp eax, ebx
je 00007F17546EC7D9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F17546EF816h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F17546EC7BDh
push 0000000Ah
call 00007F17546EF86Eh
push 00000008h
call 00007F17546EF867h
push 00000006h
mov dword ptr [007A2F44h], eax
call 00007F17546EF85Bh
cmp eax, ebx
je 00007F17546EC7E1h
push 0000001Eh
call eax
test eax, eax
je 00007F17546EC7D9h
or byte ptr [007A2F4Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3018h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E500h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ac000	0xa50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x602d	0x6200	3185076a5a29defdf887b84542b0b282	False	0.6696827168367347	data	6.442241024363186	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	34765c826af6bd742ec098b21c19a239	False	0.4287109375	data	5.0453837222906515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399058	0x400	cef4e1d3e6f981154be7da00aaf384f5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3ac000	0xa50	0xc00	52f3fab1bd39f34b7703451e89302346	False	0.4029947916666667	data	4.191234591104813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3ac190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x3ac478	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3ac578	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3ac698	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3ac6f8	0x14	data	English	United States	1.2
RT_MANIFEST	0x3ac710	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:27:15
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Rage.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Rage.exe"
Imagebase:	0x400000
File size:	1'401'522 bytes
MD5 hash:	CA817109712A3E97BF8026CDC810743D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:27:15
Start date:	18/12/2024
Path:	C:\ProgramData\wvtynvwe\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
Imagebase:	0x210000
File size:	947'288 bytes
MD5 hash:	0ADB9B817F1DF7807576C2D7068DD931
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.8%
Total number of Nodes:	1315
Total number of Limit Nodes:	17

Executed Functions

Function 004031CE Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004031F3
GetVersion.KERNEL32 ref: 004031F9
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040322C
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403268
OleInitialize.OLE32(00000000), ref: 0040326F
SHGetFileInfoA.SHELL32(0079E500,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 0040328B
GetCommandLineA.KERNEL32(007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 004032A0
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Rage.exe",00000000,?,00000006,00000008,0000000A), ref: 004032B3
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Rage.exe",00000020,?,00000006,00000008,0000000A), ref: 004032DE
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033DB
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004033EC
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004033F8
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040340C
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403414
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403425
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040342D
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403441

Part of subcall function 004062DA: GetModuleHandleA.KERNEL32(?,?,?,00403241,0000000A), ref: 004062EC
Part of subcall function 004062DA: GetProcAddress.KERNEL32(00000000,?), ref: 00406307

Part of subcall function 00405F42: lstrcpynA.KERNEL32(?,?,00000400,004032A0,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F4F

Part of subcall function 00403792: GetUserDefaultUILanguage.KERNELBASE(00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rage.exe",00000000), ref: 004037AC
Part of subcall function 00403792: lstrlenA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,?,?,open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000000,C:\ProgramData\wvtynvwe,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,75923410), ref: 00403882
Part of subcall function 00403792: lstrcmpiA.KERNEL32(?,.exe), ref: 00403895
Part of subcall function 00403792: GetFileAttributesA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004038A0
Part of subcall function 00403792: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\ProgramData\wvtynvwe), ref: 004038E9
Part of subcall function 00403792: RegisterClassA.USER32(007A26E0), ref: 00403926

ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 004034EA

Part of subcall function 004036B8: CloseHandle.KERNEL32(FFFFFFFF,004034EF,?,?,00000006,00000008,0000000A), ref: 004036C3

CoUninitialize.COMBASE(?,?,00000006,00000008,0000000A), ref: 004034EF
ExitProcess.KERNEL32 ref: 00403510
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040362D
OpenProcessToken.ADVAPI32(00000000), ref: 00403634
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040364C
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040366B
ExitWindowsEx.USER32(00000002,80040002), ref: 0040368F
ExitProcess.KERNEL32 ref: 004036B2

Part of subcall function 0040565E: MessageBoxIndirectA.USER32(0040A218), ref: 004056B9

Strings

\Temp, xrefs: 004033F2
NSIS Error, xrefs: 00403291
C:\ProgramData\wvtynvwe, xrefs: 004033C0, 004034C1, 0040356B, 00403574
TMP, xrefs: 00403428
", xrefs: 00403303
1033, xrefs: 0040343C
"C:\Users\user\Desktop\Rage.exe", xrefs: 004032A6, 004032AC, 00403465
C:\Users\user\Desktop\Rage.exe, xrefs: 004035CD
TEMP, xrefs: 00403420
SeShutdownPrivilege, xrefs: 00403646
C:\Users\user\AppData\Local\Temp\, xrefs: 004033D0, 004033D5, 004033EB, 004033F7, 00403406, 00403413, 0040341F, 00403427, 00403520, 00403531, 0040353C, 00403548, 00403555, 00403564, 00403613
C:\Users\user\Desktop, xrefs: 00403542, 00403547, 00403573
Error launching installer, xrefs: 004034A7
.tmp, xrefs: 00403537
Low, xrefs: 0040340E
UXTHEME, xrefs: 00403220, 00403225, 0040322B
C:\ProgramData\wvtynvwe, xrefs: 004034CC
~nsu, xrefs: 0040351B

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Process$Exit$FileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Rage.exe"$.tmp$1033$C:\ProgramData\wvtynvwe$C:\ProgramData\wvtynvwe$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Rage.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3861850387-1526231467
Opcode ID: 54dfbb4b5d42e962b35138971a0652499d0f60d33a266ff226056ae41e917d95
Instruction ID: ea326dcf1c0b3132f51e3ff7546da7ae9c11cd61220b9029df30233a3f69a636
Opcode Fuzzy Hash: 54dfbb4b5d42e962b35138971a0652499d0f60d33a266ff226056ae41e917d95
Instruction Fuzzy Hash: FAC1C570104741AAD7216F759E49A2F3FADAB8630AF04457FF581B51E2CB7C8A05CB2E

Function 00403792 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062DA: GetModuleHandleA.KERNEL32(?,?,?,00403241,0000000A), ref: 004062EC
Part of subcall function 004062DA: GetProcAddress.KERNEL32(00000000,?), ref: 00406307

GetUserDefaultUILanguage.KERNELBASE(00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rage.exe",00000000), ref: 004037AC

Part of subcall function 00405EA0: wsprintfA.USER32 ref: 00405EAD

lstrcatA.KERNEL32(1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Rage.exe",00000000), ref: 0040380D
lstrlenA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,?,?,open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000000,C:\ProgramData\wvtynvwe,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,75923410), ref: 00403882
lstrcmpiA.KERNEL32(?,.exe), ref: 00403895
GetFileAttributesA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004038A0
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\ProgramData\wvtynvwe), ref: 004038E9
RegisterClassA.USER32(007A26E0), ref: 00403926
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040393E
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403973
ShowWindow.USER32(00000005,00000000), ref: 004039A9
GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 004039D5
GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 004039E2
RegisterClassA.USER32(007A26E0), ref: 004039EB
DialogBoxParamA.USER32(?,00000000,00403B2F,00000000), ref: 00403A0A

Strings

C:\ProgramData\wvtynvwe, xrefs: 0040381C, 00403824, 004038BC, 004038C2, 004038D2
RichEd20, xrefs: 004039AF
1033, xrefs: 004037B2, 00403808
"C:\Users\user\Desktop\Rage.exe", xrefs: 00403796
C:\Users\user\AppData\Local\Temp\, xrefs: 00403797
.exe, xrefs: 0040388F
RichEdit, xrefs: 004039DC
Control Panel\Desktop\ResourceLocale, xrefs: 004037C6
RichEdit20A, xrefs: 004039CD, 004039D3
_Nb, xrefs: 00403905, 0040396D
&z, xrefs: 004038F8
RichEd32, xrefs: 004039BD
.DEFAULT\Control Panel\International, xrefs: 004037F8
open C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 00403850, 00403858, 00403865, 004038AF, 004038B5

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Rage.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\ProgramData\wvtynvwe$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$open C:\ProgramData\wvtynvwe\AutoIt3.exe$&z
API String ID: 606308-4152628808
Opcode ID: 4573ba04ebc77884384a9dff4b57512f3d1cc68e7e8383aaaadbd8588d4d55f5
Instruction ID: 6bdd0c24031e65af1bb83e80dbe2e3bb6674319255249ac8b849c9fe46f77251
Opcode Fuzzy Hash: 4573ba04ebc77884384a9dff4b57512f3d1cc68e7e8383aaaadbd8588d4d55f5
Instruction Fuzzy Hash: AE61D571240600BED610BF659D45F3B3AACEB85749F00857FF980B22E2DB7D99068B2D

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D59
GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\Rage.exe,00000400), ref: 00402D75

Part of subcall function 00405ADB: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405ADF
Part of subcall function 00405ADB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B01

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rage.exe,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00402DC1

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
soft, xrefs: 00402E36
Error launching installer, xrefs: 00402D98
"C:\Users\user\Desktop\Rage.exe", xrefs: 00402D48
C:\Users\user\Desktop\Rage.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
Null, xrefs: 00402E3F
Inst, xrefs: 00402E2D
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Rage.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Rage.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-4189184754
Opcode ID: fd2093084ae6f2f361c09d7edbe045a2102e248848af7ed0038dbebb5adda0e8
Instruction ID: 431bbe5dcf390c8e3b41a4a2cddc22f4a4d5a60d02444a29ee6e72f21c3f1069
Opcode Fuzzy Hash: fd2093084ae6f2f361c09d7edbe045a2102e248848af7ed0038dbebb5adda0e8
Instruction Fuzzy Hash: F351E23194021AABDB109F65DE89B9F7BB8EB05354F10413BFA04B62D1D7BC8D818B9D

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,open,C:\ProgramData\wvtynvwe,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\ProgramData\wvtynvwe,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F42: lstrcpynA.KERNEL32(?,?,00000400,004032A0,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F4F

Part of subcall function 00405069: lstrlenA.KERNEL32(0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000,?), ref: 004050A2
Part of subcall function 00405069: lstrlenA.KERNEL32(004030B9,0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000), ref: 004050B2
Part of subcall function 00405069: lstrcatA.KERNEL32(0079ED20,004030B9,004030B9,0079ED20,00000000,00790475,759223A0), ref: 004050C5
Part of subcall function 00405069: SetWindowTextA.USER32(0079ED20,0079ED20), ref: 004050D7
Part of subcall function 00405069: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FD
Part of subcall function 00405069: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405117
Part of subcall function 00405069: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405125

Strings

open C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 00401826, 00401842
C:\ProgramData\wvtynvwe, xrefs: 00401786
open, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\ProgramData\wvtynvwe\clxs.a3x, xrefs: 004017A3, 00401812, 00401830

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\ProgramData\wvtynvwe$C:\ProgramData\wvtynvwe\clxs.a3x$open$open C:\ProgramData\wvtynvwe\AutoIt3.exe
API String ID: 1941528284-3126961360
Opcode ID: 0d43fd7dd8353952853e9013bf133ef40285121c9ea51c1581a1687533a7fe47
Instruction ID: dd9c0c15e66697baca7a35a40d3b20135c8550c1c4c1c20121428b1abfe738c2
Opcode Fuzzy Hash: 0d43fd7dd8353952853e9013bf133ef40285121c9ea51c1581a1687533a7fe47
Instruction Fuzzy Hash: 7041E531904516BACF10BBB5CC45DAF3679EF41328B20837BF522B20E1C67C8A419E6E

Function 0040626C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406283
wsprintfA.USER32 ref: 004062BC
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062D0

Strings

%s%s.dll, xrefs: 004062B6
UXTHEME, xrefs: 00406275
\, xrefs: 00406294

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: faee1f553c32e40c51e8eba8ef91b672ff9b85d18c2ea7a865910a86d6ce685a
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 34F0F630500609ABEF14AB64DD0DFEB375CAB08304F1404BEA686F10C1EAB8D9258B68

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402FE8
GetTickCount.KERNEL32 ref: 0040306C
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00403095
wsprintfA.USER32 ref: 004030A5

Strings

... %d%%, xrefs: 0040309F

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 395bbff9825787910bb7d588d8f06c8aea948aff440e28438afa561c5abaef61
Instruction ID: 4f4b31f3c2c8719a6221e0ae45b4e5efb49971fa938741557c66a7ddabd37736
Opcode Fuzzy Hash: 395bbff9825787910bb7d588d8f06c8aea948aff440e28438afa561c5abaef61
Instruction Fuzzy Hash: CE516E319012199BCB10DFA5DA44A9F7BB8EB08756F14413BF910BB2D0D7789F40CBA9

Function 00405B0A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B1E
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B38

Strings

nsa, xrefs: 00405B15
"C:\Users\user\Desktop\Rage.exe", xrefs: 00405B0A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0D

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Rage.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1349086275
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: bf28a9a74c6123c17d6ea431a1df647465e9dab3760c1a926ea6b161aa6db928
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: C8F082363042046BEB109F56DD04B9BBBADDFD1750F10803BFA489B280D6B4A9548B58

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405973: CharNextA.USER32(?,?,007A0948,?,004059DF,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405981
Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 00405986
Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 0040599A

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040552F: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405572

SetCurrentDirectoryA.KERNELBASE(00000000,C:\ProgramData\wvtynvwe,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\ProgramData\wvtynvwe, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\ProgramData\wvtynvwe
API String ID: 1892508949-2371683539
Opcode ID: 4b67de153c8d73bd22696679ffb2b688d2c98a0fa6de6dd23771108c840cb84a
Instruction ID: f5f4b3145e6fc53207d119520a298daebfb9a90f2eaea5cdf5ae3df67ae6ba32
Opcode Fuzzy Hash: 4b67de153c8d73bd22696679ffb2b688d2c98a0fa6de6dd23771108c840cb84a
Instruction Fuzzy Hash: D711C831608156EBCF217B654D4157F26B09A92324B28057FE9D1B22E2D63D4D429A2E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
Instruction ID: b093ac6dabfd3bf5cd98619b9c3e878c543c382afaa1261ab96434968757bf0e
Opcode Fuzzy Hash: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
Instruction Fuzzy Hash: C601F4316202209FE7094B389D04B6A36A8E751354F10813FF955F65F2D678CC028B4C

Function 004062DA Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403241,0000000A), ref: 004062EC
GetProcAddress.KERNEL32(00000000,?), ref: 00406307

Part of subcall function 0040626C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406283
Part of subcall function 0040626C: wsprintfA.USER32 ref: 004062BC
Part of subcall function 0040626C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062D0

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 30985bc18176bda4dfc46ca2d396654736e9499ca8d22b71f2c1527f66d3312f
Instruction ID: 6d4d7ac2ac74d54284c03329a575cd53d6fd54091c86bc9b4f5055757ed92d74
Opcode Fuzzy Hash: 30985bc18176bda4dfc46ca2d396654736e9499ca8d22b71f2c1527f66d3312f
Instruction Fuzzy Hash: B0E0863260421057D21066715E04A3B72A89F84700302043EF946F2140DB389C3697AD

Function 00405ADB Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405ADF
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B01

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 00405AB6 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?,?,004056CE,?,?,00000000,004058B1,?,?,?,?), ref: 00405ABB
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405ACF

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: aac931f15d2d7ee1e7e221b8fb91e87f1231b7c2176c4a2b53cffd82f2b4ddf1
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: 63D0C972504121ABD2102728AE0889BBB55DB54271712CB35F8A9A26F1DB304C569AA8

Function 004055AC Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031C1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 004055B2
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055C0

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: d679fad9c672f6a8ccfbb6da76b293a182284e12660a0008c2510280bf930a01
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 34C04C70214601FED6515B319F09B1B7EE6EB90781F11843A6146E41F4DA348455D92E

Function 00405B53 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403183,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B67

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: b7d91c5420632eddea9312ae655271143aa9063ea302fc5b9ab1ab8bce17f77e
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: C3E0EC3221065EABDF109E559C40EEB7B6CFB053A0F008476FD25E3150E631F8219FA4

Function 00405B82 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403139,00000000,0078A0F8,000000FF,0078A0F8,000000FF,000000FF,00000004,00000000), ref: 00405B96

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: dc12008b84dc55f9eae4749af390a7f63d9cada5657987a7308dd9f5849e87fb
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: D6E0EC3221065AABDF609E559C04AEB7B6CEB05360F004436F915E2150D675F921DBB8

Function 00405624 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00401EBC,?), ref: 00405633

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69

Function 00403186 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 00403194

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004036B8 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004034EF,?,?,00000006,00000008,0000000A), ref: 004036C3

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1614ba02b2613583747f204f4b2df3f5a1e6ee72f31db953788cc790fd2339e2
Instruction ID: e5b7db38883734f5cd43fd9a982a580d4974862b55da1e12b5eb97a8bd040236
Opcode Fuzzy Hash: 1614ba02b2613583747f204f4b2df3f5a1e6ee72f31db953788cc790fd2339e2
Instruction Fuzzy Hash: 0BC01230500704A6C5706F759E4F9053A545B81735F500735F0B5B11F1CB7C665AA55E

Non-executed Functions

Function 004049E6 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049FE
GetDlgItem.USER32(?,00000408), ref: 00404A09
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A53
LoadBitmapA.USER32(0000006E), ref: 00404A66
SetWindowLongA.USER32(?,000000FC,00404FDD), ref: 00404A7F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A93
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AA5
SendMessageA.USER32(?,00001109,00000002), ref: 00404ABB
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AC7
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AD9
DeleteObject.GDI32(00000000), ref: 00404ADC
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B07
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B13
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BA8
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BD3
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BE7
GetWindowLongA.USER32(?,000000F0), ref: 00404C16
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C24
ShowWindow.USER32(?,00000005), ref: 00404C35
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D32
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D97
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DAC
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DD0
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DF0
ImageList_Destroy.COMCTL32(?), ref: 00404E05
GlobalFree.KERNEL32(?), ref: 00404E15
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E8E
SendMessageA.USER32(?,00001102,?,?), ref: 00404F37
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F46
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F66
ShowWindow.USER32(?,00000000), ref: 00404FB4
GetDlgItem.USER32(?,000003FE), ref: 00404FBF
ShowWindow.USER32(00000000), ref: 00404FC6

Strings

N, xrefs: 00404C70
, xrefs: 00404F9E
M, xrefs: 00404B8F

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 93a5dea554acafdd7f9fa93af182cc67e10ddeacb3b9749c107691ee74c0e35b
Instruction ID: feb09b03230ec9de5227bb28ba9f3f750fb888e87e2cf3f84613fbf0b179ef39
Opcode Fuzzy Hash: 93a5dea554acafdd7f9fa93af182cc67e10ddeacb3b9749c107691ee74c0e35b
Instruction Fuzzy Hash: FC028FB0900209EFEB149F68DD85AAE7BB5FB84315F10813AF610B62E1C7789D52DF58

Function 004051A7 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405206
GetDlgItem.USER32(?,000003EE), ref: 00405215
GetClientRect.USER32(?,?), ref: 00405252
GetSystemMetrics.USER32(00000002), ref: 00405259
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040527A
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040528B
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040529E
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052AC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052BF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052E1
ShowWindow.USER32(?,00000008), ref: 004052F5
GetDlgItem.USER32(?,000003EC), ref: 00405316
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405326
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040533F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040534B
GetDlgItem.USER32(?,000003F8), ref: 00405224

Part of subcall function 00404038: SendMessageA.USER32(00000028,?,00000001,00403E68), ref: 00404046

GetDlgItem.USER32(?,000003EC), ref: 00405367
CreateThread.KERNEL32(00000000,00000000,Function_0000513B,00000000), ref: 00405375
CloseHandle.KERNEL32(00000000), ref: 0040537C
ShowWindow.USER32(00000000), ref: 0040539F
ShowWindow.USER32(?,00000008), ref: 004053A6
ShowWindow.USER32(00000008), ref: 004053EC
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405420
CreatePopupMenu.USER32 ref: 00405431
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405446
GetWindowRect.USER32(?,000000FF), ref: 00405466
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040547F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054BB
OpenClipboard.USER32(00000000), ref: 004054CB
EmptyClipboard.USER32 ref: 004054D1
GlobalAlloc.KERNEL32(00000042,?), ref: 004054DA
GlobalLock.KERNEL32(00000000), ref: 004054E4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054F8
GlobalUnlock.KERNEL32(00000000), ref: 00405511
SetClipboardData.USER32(00000001,00000000), ref: 0040551C
CloseClipboard.USER32 ref: 00405522

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 5bb85f9fd3fc5e549709c94d4a210579cba1b9e23c5744368082747204fdc146
Instruction ID: 09962e5fca3f90e9578524edcc49537ab2d17e1ad14151c73511ea412a4409f5
Opcode Fuzzy Hash: 5bb85f9fd3fc5e549709c94d4a210579cba1b9e23c5744368082747204fdc146
Instruction Fuzzy Hash: 47A17B70900608BFDF119FA4DE89EAE7BB9FB48344F10402AFA41B61A1C7794E51DF68

Function 00404473 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044C2
SetWindowTextA.USER32(00000000,?), ref: 004044EC
SHBrowseForFolderA.SHELL32(?,0079E918,?), ref: 0040459D
CoTaskMemFree.OLE32(00000000), ref: 004045A8
lstrcmpiA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,0079F540), ref: 004045DA
lstrcatA.KERNEL32(?,open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004045E6
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045F8

Part of subcall function 00405642: GetDlgItemTextA.USER32(?,?,00000400,0040462F), ref: 00405655

Part of subcall function 004061AC: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406204
Part of subcall function 004061AC: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406211
Part of subcall function 004061AC: CharNextA.USER32(?,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406216
Part of subcall function 004061AC: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406226

GetDiskFreeSpaceA.KERNEL32(0079E510,?,?,0000040F,?,0079E510,0079E510,?,00000001,0079E510,?,?,000003FB,?), ref: 004046B6
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046D1

Part of subcall function 0040482A: lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404745,000000DF,00000000,00000400,?), ref: 004048C8
Part of subcall function 0040482A: wsprintfA.USER32 ref: 004048D0
Part of subcall function 0040482A: SetDlgItemTextA.USER32(?,0079F540), ref: 004048E3

Strings

C:\ProgramData\wvtynvwe, xrefs: 004045C3
A, xrefs: 00404596
open C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 004045D4, 004045D9, 004045E4

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\ProgramData\wvtynvwe$open C:\ProgramData\wvtynvwe\AutoIt3.exe
API String ID: 2624150263-3232468740
Opcode ID: 3c0359a4e2499cb1b58791620b1c2069b725a9ac35f7ca23850945cc9ffa1be5
Instruction ID: a2e4fbb223646fa704944566a3391d0c17d9cbc2cbed741d1673875fbf363f5e
Opcode Fuzzy Hash: 3c0359a4e2499cb1b58791620b1c2069b725a9ac35f7ca23850945cc9ffa1be5
Instruction Fuzzy Hash: C6A16EB1900209ABDB11EFA5CD41AAFB7B8EF85314F10843BF701B62D1D77C8A418B69

Function 0040570A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405733
lstrcatA.KERNEL32(007A0548,\*.*,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040577B
lstrcatA.KERNEL32(?,0040A014,?,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040579C
lstrlenA.KERNEL32(?,?,0040A014,?,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057A2
FindFirstFileA.KERNEL32(007A0548,?,?,?,0040A014,?,007A0548,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057B3
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405860
FindClose.KERNEL32(00000000), ref: 00405871

Strings

"C:\Users\user\Desktop\Rage.exe", xrefs: 0040570A
\*.*, xrefs: 00405775
C:\Users\user\AppData\Local\Temp\, xrefs: 00405717

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Rage.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2828151234
Opcode ID: bac28e60cfd6598e6d244b6c6dd5f2b57952399981f623fc13e4ff0d7e2d0873
Instruction ID: d13e86c599d1992239359fe06af11ecde70b93afebcb442c30f9b7feac53d967
Opcode Fuzzy Hash: bac28e60cfd6598e6d244b6c6dd5f2b57952399981f623fc13e4ff0d7e2d0873
Instruction Fuzzy Hash: 82519131800A04AADB217B658C45BBF7BB8DF42754F24807FF851721D1D73C8952DEAA

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\ProgramData\wvtynvwe, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\ProgramData\wvtynvwe
API String ID: 123533781-2371683539
Opcode ID: a26c2beb0f30681b548f380fb14fd97755e4f2b8dcf256f461589d36fb4f9269
Instruction ID: cf8f7130570b1b92896c88b61f7317bf39c47c02c96b55d236e0d8f8a2b8e87b
Opcode Fuzzy Hash: a26c2beb0f30681b548f380fb14fd97755e4f2b8dcf256f461589d36fb4f9269
Instruction Fuzzy Hash: F95136B5A00208BFCF10DFE4C988A9DBBB5EF48314F2041AAF915EB2D1DA799941CF54

Function 00406245 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(75923410,007A0D90,007A0948,00405A0B,007A0948,007A0948,00000000,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00406250
FindClose.KERNEL32(00000000), ref: 0040625C

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
Instruction ID: 33d6f2eefb205aa3b7ff26f6f1897bb94b895816ac4b0862ae3820c4f049c28d
Opcode Fuzzy Hash: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
Instruction Fuzzy Hash: F0D012329091205BC21067786E0C84B7A589F46370B214B7AB4AAF15E0C6388C6287E9

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 2bd42633c05d02f52777b451ddda99a2743e6e135658162a4d387a3c6b531069
Instruction ID: e695779f9ce9b998070782fd5a459e3569f6455c2d57c993d98b78b2031c355d
Opcode Fuzzy Hash: 2bd42633c05d02f52777b451ddda99a2743e6e135658162a4d387a3c6b531069
Instruction Fuzzy Hash: 8DF0A0726041119AD701E7B49D49AEEB768DB21324F60017BE695E20C2C6B88A469B2A

Function 00403B2F Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B6B
ShowWindow.USER32(?), ref: 00403B88
DestroyWindow.USER32 ref: 00403B9C
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BB8
GetDlgItem.USER32(?,?), ref: 00403BD9
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BED
IsWindowEnabled.USER32(00000000), ref: 00403BF4
GetDlgItem.USER32(?,00000001), ref: 00403CA2
GetDlgItem.USER32(?,00000002), ref: 00403CAC
SetClassLongA.USER32(?,000000F2,?), ref: 00403CC6
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D17
GetDlgItem.USER32(?,00000003), ref: 00403DBD
ShowWindow.USER32(00000000,?), ref: 00403DDE
EnableWindow.USER32(?,?), ref: 00403DF0
EnableWindow.USER32(?,?), ref: 00403E0B
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E21
EnableMenuItem.USER32(00000000), ref: 00403E28
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E40
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E53
lstrlenA.KERNEL32(0079F540,?,0079F540,00000000), ref: 00403E7D
SetWindowTextA.USER32(?,0079F540), ref: 00403E8C
ShowWindow.USER32(?,0000000A), ref: 00403FC0

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 7f76a5b8156c78a94673a487ddb43565ec2e9110f562ab6c46483f56c2dcbdcf
Instruction ID: b3be4a8df41bbb1a34e3297708249d174a72e40218f8278c8686e9c74d2bf613
Opcode Fuzzy Hash: 7f76a5b8156c78a94673a487ddb43565ec2e9110f562ab6c46483f56c2dcbdcf
Instruction Fuzzy Hash: 8CC1E071504205AFEB216F25ED89E2B3ABDEB85306F00443EF641B11F1CB3D9A529B6D

Function 0040414C Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041D7
GetDlgItem.USER32(00000000,000003E8), ref: 004041EB
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404209
GetSysColor.USER32(?), ref: 0040421A
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404229
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404238
lstrlenA.KERNEL32(?), ref: 0040423B
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040424A
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040425F
GetDlgItem.USER32(?,0000040A), ref: 004042C1
SendMessageA.USER32(00000000), ref: 004042C4
GetDlgItem.USER32(?,000003E8), ref: 004042EF
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040432F
LoadCursorA.USER32(00000000,00007F02), ref: 0040433E
SetCursor.USER32(00000000), ref: 00404347
LoadCursorA.USER32(00000000,00007F00), ref: 0040435D
SetCursor.USER32(00000000), ref: 00404360
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040438C
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043A0

Strings

N, xrefs: 004042DD
open C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 0040431A

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$open C:\ProgramData\wvtynvwe\AutoIt3.exe
API String ID: 3103080414-3750366646
Opcode ID: 3fdeaefca53a56e234a94c61e234fdb8f55c9ed1e1da13f1627204f87759fe70
Instruction ID: fe94f9ee99578da6acd451f42b216120b5917c0b2e2c3b2ca95fb8a58add93f4
Opcode Fuzzy Hash: 3fdeaefca53a56e234a94c61e234fdb8f55c9ed1e1da13f1627204f87759fe70
Instruction Fuzzy Hash: 3E61A5B1A40209BFEB109F61DD45F6A7B79FB84704F10802AFB04BA2D1D778A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,007A2740,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 5d259313e85fbaf708a0b03883ff4ad94c3fd8dcebbcebd210a7d21844077b3d
Instruction ID: 38fadef1db352f82975619da7fddedca022a80716c75150ab5a709db8b4f24fa
Opcode Fuzzy Hash: 5d259313e85fbaf708a0b03883ff4ad94c3fd8dcebbcebd210a7d21844077b3d
Instruction Fuzzy Hash: CB416C71800249AFCB058F95DE459AFBBB9FF45314F00802EF9A1AA1A0C778DA55DFA4

Function 00405BB1 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D42,?,?), ref: 00405BE2
GetShortPathNameA.KERNEL32(?,007A12D0,00000400), ref: 00405BEB

Part of subcall function 00405A40: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A50
Part of subcall function 00405A40: lstrlenA.KERNEL32(00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A82

GetShortPathNameA.KERNEL32(?,007A16D0,00000400), ref: 00405C08
wsprintfA.USER32 ref: 00405C26
GetFileSize.KERNEL32(00000000,00000000,007A16D0,C0000000,00000004,007A16D0,?,?,?,?,?), ref: 00405C61
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C70
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA8
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED0,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFE
GlobalFree.KERNEL32(00000000), ref: 00405D0F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D16

Part of subcall function 00405ADB: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405ADF
Part of subcall function 00405ADB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B01

Strings

[Rename], xrefs: 00405C90, 00405CA2
%s=%s, xrefs: 00405C1C

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 36d44f5c9853182170fdc09cfff86aa36828fe8a00fb97525ec3968d79f5ff8e
Instruction ID: 637a3d628f16c5af013d2b0d1efa584cc5f297bc3ade19b8e2238539b1010773
Opcode Fuzzy Hash: 36d44f5c9853182170fdc09cfff86aa36828fe8a00fb97525ec3968d79f5ff8e
Instruction Fuzzy Hash: E6311231205B157BD2203B659D48F6B3A6CDF85754F28053AFA01F62D2EA3CE8018EBD

Function 00405F64 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000400), ref: 0040608F
GetWindowsDirectoryA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,00000400,?,0079ED20,00000000,004050A1,0079ED20,00000000), ref: 004060A2
SHGetSpecialFolderLocation.SHELL32(004050A1,759223A0,?,0079ED20,00000000,004050A1,0079ED20,00000000), ref: 004060DE
SHGetPathFromIDListA.SHELL32(759223A0,open C:\ProgramData\wvtynvwe\AutoIt3.exe), ref: 004060EC
CoTaskMemFree.OLE32(759223A0), ref: 004060F8
lstrcatA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040611C
lstrlenA.KERNEL32(open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,0079ED20,00000000,004050A1,0079ED20,00000000,00000000,00790475,759223A0), ref: 0040616E

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406116
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040605E
open C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 00405F8E, 0040605B, 0040605C, 0040605D, 00406079, 0040608E, 004060A1, 004060BD, 004060E8, 0040611B, 00406121, 00406139, 0040614C, 00406167, 0040616D, 00406175, 0040619F

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open C:\ProgramData\wvtynvwe\AutoIt3.exe
API String ID: 717251189-2195795450
Opcode ID: 4550c8ed14394774286f8022b57fa57a0b33301bca964282d4e54840fc3ca20a
Instruction ID: 657cab0ace126491ae758d46bb2980ba0dc5c343891863a13133d2e564576f3a
Opcode Fuzzy Hash: 4550c8ed14394774286f8022b57fa57a0b33301bca964282d4e54840fc3ca20a
Instruction Fuzzy Hash: 87611471900111AFEF109F68DC85BBA3BA4AB46314F12413FE943BA2D2C77D4962CB4E

Function 00405069 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000,?), ref: 004050A2
lstrlenA.KERNEL32(004030B9,0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000), ref: 004050B2
lstrcatA.KERNEL32(0079ED20,004030B9,004030B9,0079ED20,00000000,00790475,759223A0), ref: 004050C5
SetWindowTextA.USER32(0079ED20,0079ED20), ref: 004050D7
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FD
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405117
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405125

Strings

y, xrefs: 00405089

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: y
API String ID: 2531174081-1062152503
Opcode ID: df9fa322c0453a065a888b8f71298073a1822c311b4ca3682e0548b8907b6f01
Instruction ID: 89683e74244f30e825ec863f7a89f7bffe3770603979b342a6609b7659f93117
Opcode Fuzzy Hash: df9fa322c0453a065a888b8f71298073a1822c311b4ca3682e0548b8907b6f01
Instruction Fuzzy Hash: F5218C71900518BACF119FA5DD84A9FBFA9EB09354F14807AF544AA290C7788A40CFA8

Function 004061AC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406204
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406211
CharNextA.USER32(?,"C:\Users\user\Desktop\Rage.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406216
CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004031A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 00406226

Strings

"C:\Users\user\Desktop\Rage.exe", xrefs: 004061E8
*?|<>/":, xrefs: 004061F4
C:\Users\user\AppData\Local\Temp\, xrefs: 004061AD

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Rage.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3651791744
Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
Instruction ID: bdcb7cc7c91d871583b49daff1dd0f9603b265494e114170260e43a32c5c6c09
Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
Instruction Fuzzy Hash: BB1108618047A129EB3226245C44B7B7FC88F577A0F1A00BFE4D6762C3C67C5C628A6D

Function 0040406A Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404087
GetSysColor.USER32(00000000), ref: 004040A3
SetTextColor.GDI32(?,00000000), ref: 004040AF
SetBkMode.GDI32(?,?), ref: 004040BB
GetSysColor.USER32(?), ref: 004040CE
SetBkColor.GDI32(?,?), ref: 004040DE
DeleteObject.GDI32(?), ref: 004040F8
CreateBrushIndirect.GDI32(?), ref: 00404102

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: e72f94c4e22ee448d473b15cc8768ff49957eee448288f542271c02bb7392c6c
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: 2E218471500704ABC7319F68DD08B4BBBF8AF41714F048939EA95F66A0D734E944CB54

Function 00404934 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040494F
GetMessagePos.USER32 ref: 00404957
ScreenToClient.USER32(?,?), ref: 00404971
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404983
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049A9

Strings

f, xrefs: 00404985

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 9f87d1f96637cd95e02eacff83315fbabeb05544dbb8078b13e3fe085f54f252
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 54015275900219BAEB10DBA4DD45BFFBBBCAF55711F10412BBA50B61C0C7B459018BA5

Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
MulDiv.KERNEL32(001562AE,00000064,001562B2), ref: 00402CA7
wsprintfA.USER32 ref: 00402CB7
SetWindowTextA.USER32(?,?), ref: 00402CC7
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9

Strings

verifying installer: %d%%, xrefs: 00402CB1

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: eef9a404b70e8a65b08e01be9a087e60fbea96a6756cd33d7edc079d4ddd97f4
Instruction ID: e89b30bbe7a1ffbacd4e8467669da5a94a5c2e7b600bd1dad6d6b5a2d11bc3bf
Opcode Fuzzy Hash: eef9a404b70e8a65b08e01be9a087e60fbea96a6756cd33d7edc079d4ddd97f4
Instruction Fuzzy Hash: 0601177054020DFBEF249F61DD4AEEE3769EB04304F008039FA06B92D0DBB999558F59

Function 0040552F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405572
GetLastError.KERNEL32 ref: 00405586
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040559B
GetLastError.KERNEL32 ref: 004055A5

Strings

C:\Users\user\Desktop, xrefs: 0040552F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405555

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1521822154
Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction ID: 376828453cd42821b5cd8262128f85d8abda27f03043a04a3675b82aceba1981
Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction Fuzzy Hash: 5A010871D10219EADF009BA1DD04BEFBBB9EB04355F00803AD544B6290E7789608CFA9

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b45102d8d3259269e52f498ae29a62b13b390da9ee7db00c21edc77376252bc5
Instruction ID: 890f56038aeb86756f8426a045e697074279617aee550660c002ceda6b1f970f
Opcode Fuzzy Hash: b45102d8d3259269e52f498ae29a62b13b390da9ee7db00c21edc77376252bc5
Instruction Fuzzy Hash: 76219F71C00124BBCF216FA5DE49D9E7A79EF05364F14423AF924762E1CA794D418FA8

Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 00405069: lstrlenA.KERNEL32(0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000,?), ref: 004050A2
Part of subcall function 00405069: lstrlenA.KERNEL32(004030B9,0079ED20,00000000,00790475,759223A0,?,?,?,?,?,?,?,?,?,004030B9,00000000), ref: 004050B2
Part of subcall function 00405069: lstrcatA.KERNEL32(0079ED20,004030B9,004030B9,0079ED20,00000000,00790475,759223A0), ref: 004050C5
Part of subcall function 00405069: SetWindowTextA.USER32(0079ED20,0079ED20), ref: 004050D7
Part of subcall function 00405069: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050FD
Part of subcall function 00405069: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405117
Part of subcall function 00405069: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405125

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Strings

/z, xrefs: 00402072

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: /z
API String ID: 2987980305-1190999251
Opcode ID: 199b9ca66f2f3be16db449d9886261fcca56c35d48349b9125478b6062e0a185
Instruction ID: ff4e9d8d41e245f71de90d7843dd5b4391991aa6675031779f7ddf1c1e2711a8
Opcode Fuzzy Hash: 199b9ca66f2f3be16db449d9886261fcca56c35d48349b9125478b6062e0a185
Instruction Fuzzy Hash: 5F21C971604215A7CF207FA58E49B5E7660AB45354F20413FF711B21D1CBBD4942965E

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B7F0), ref: 00401E1A

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 307c2f7223b588f157dad04ceaa6757d338b1b0beccffd4f2c8b683e5c007d1d
Instruction ID: 32ee968f6fa2a45aa154ac920770c0068bb4b7ad8556ade5f6a0693a6ec5f363
Opcode Fuzzy Hash: 307c2f7223b588f157dad04ceaa6757d338b1b0beccffd4f2c8b683e5c007d1d
Instruction Fuzzy Hash: 17019E72944645AFE7406BB1AE4AB9A3FF8EB55305F108439F241BA2F2CB7804058F7D

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5170087556e431b5de60660a5e52828f9803fa97d1a281977de149f3ddbae3c9
Instruction ID: 3a9f69e16af6b344df11f7afd522e3a5d0d390235353beccb8f2623f7f64b8ac
Opcode Fuzzy Hash: 5170087556e431b5de60660a5e52828f9803fa97d1a281977de149f3ddbae3c9
Instruction Fuzzy Hash: 79F0FFB2600515BFDB01EBA4DE88DAFB7BCEB44301B04446AF645F2191CA748D018B38

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 41634464237ffc4a490c33a013805357df40b2c394da3d94f718f411ee4b7c5f
Instruction ID: 47ba27bed09b34a83addf96e827a594e01ed27391bdeb3cad423947a258da186
Opcode Fuzzy Hash: 41634464237ffc4a490c33a013805357df40b2c394da3d94f718f411ee4b7c5f
Instruction Fuzzy Hash: 13218F71A44209BEEB05DFA5D946AED7BB0EB84304F14803EF505F61E1DA7889408F28

Function 0040482A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404745,000000DF,00000000,00000400,?), ref: 004048C8
wsprintfA.USER32 ref: 004048D0
SetDlgItemTextA.USER32(?,0079F540), ref: 004048E3

Strings

%u.%u%s%s, xrefs: 004048B2

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 9b343dceee09ed7e7f6ed0b0987783c5ae876ff08b8d7c4f564122da271ac9eb
Instruction ID: d40bf1ec6497005f72ea1027000651d0cda96484cb7ea430e24c6b5614f4196a
Opcode Fuzzy Hash: 9b343dceee09ed7e7f6ed0b0987783c5ae876ff08b8d7c4f564122da271ac9eb
Instruction Fuzzy Hash: 6A11E77760452827DB00757D9C45EAF3288DB86374F25463BFA25F61D1E978CC1281E8

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\ProgramData\wvtynvwe\clxs.a3x,00000023,?,00000000,00000002,00000011,00000002), ref: 0040241B
RegSetValueExA.ADVAPI32(?,?,?,?,C:\ProgramData\wvtynvwe\clxs.a3x,00000000,?,00000000,00000002,00000011,00000002), ref: 00402458
RegCloseKey.ADVAPI32(?,?,?,C:\ProgramData\wvtynvwe\clxs.a3x,00000000,?,00000000,00000002,00000011,00000002), ref: 0040253C

Strings

C:\ProgramData\wvtynvwe\clxs.a3x, xrefs: 0040240C, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\ProgramData\wvtynvwe\clxs.a3x
API String ID: 2655323295-3552521189
Opcode ID: 95db2493a43c4bc9c0e441acb49331a876144abc02b3507964f67482ed42c715
Instruction ID: da24eaaec51cc95816ca64b213a576443ad0086fe66887fe7dbf5dd976a128c9
Opcode Fuzzy Hash: 95db2493a43c4bc9c0e441acb49331a876144abc02b3507964f67482ed42c715
Instruction Fuzzy Hash: 99115171E00215BEDF10FFA5DE89AAEBA74EB54754F20403BF908F61D1CAB84D419B29

Function 004059C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F42: lstrcpynA.KERNEL32(?,?,00000400,004032A0,007A2740,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F4F

Part of subcall function 00405973: CharNextA.USER32(?,?,007A0948,?,004059DF,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405981
Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 00405986
Part of subcall function 00405973: CharNextA.USER32(00000000), ref: 0040599A

lstrlenA.KERNEL32(007A0948,00000000,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A1B
GetFileAttributesA.KERNEL32(007A0948,007A0948,007A0948,007A0948,007A0948,007A0948,00000000,007A0948,007A0948,75923410,?,C:\Users\user\AppData\Local\Temp\,0040572A,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405A2B

Strings

Hz, xrefs: 004059CE
C:\Users\user\AppData\Local\Temp\, xrefs: 004059C8

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$Hz
API String ID: 3248276644-1641514571
Opcode ID: c9df4ada7f727d87a35fee49361aeb73f7da85869d5f85a71a166c7ad75332dd
Instruction ID: 5f745b3ca97bfd8df9e0b525eb7d85b75c6d739f83cdbb59465524be199bd04b
Opcode Fuzzy Hash: c9df4ada7f727d87a35fee49361aeb73f7da85869d5f85a71a166c7ad75332dd
Instruction Fuzzy Hash: 8CF0C875205D5156D622323A1C46B9F1745CE87378716463BF8A1B12D3DA3C88139DBE

Function 004058DA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031BB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 004058E0
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031BB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033E2,?,00000006,00000008,0000000A), ref: 004058E9
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 004058FA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004058DA

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: eba76a58ea1ff6bfef612508d9b3474851936f6545664b5d745be25ef5a18ef4
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: F9D0A9A2201A316AD21237158C09ECB2A0CCF06340B050076F308B21A1CA3C0E428BFE

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
Instruction ID: fed2cd56577fe7b035228b0b929bbd134fccf085ba74c4e7284a1f4fa6732296
Opcode Fuzzy Hash: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
Instruction Fuzzy Hash: 96118832500119BBEF01AF91CF09F9E3B79EF18341F104036BA05B50E0E7B4EE51AAA8

Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
GetTickCount.KERNEL32 ref: 00402D15
CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
ShowWindow.USER32(00000000,00000005), ref: 00402D40

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: b2f7b9a99862a26ec52413e932bcd24799532df146b5b51e48da17ed45f9cf5d
Instruction ID: 2d9097a6a3a823d92573342c87c8e140217056fb4289b76a45e4b4044a0a9852
Opcode Fuzzy Hash: b2f7b9a99862a26ec52413e932bcd24799532df146b5b51e48da17ed45f9cf5d
Instruction Fuzzy Hash: 6DF05E30401621EBC6206B28BFCEE8E7B74BB45B02712457BF459B11F8DB7C48868B9C

Function 00404FDD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040500C
CallWindowProcA.USER32(?,?,?,?), ref: 0040505D

Part of subcall function 0040404F: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404061

Strings

, xrefs: 00404FED

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 6250ec76a35d91786fe0f3bbb491aaaf262455cd01ad0a4232066028cfa3f1df
Instruction ID: b168498847f37538db73494297a7dd182b81320d309b40d671ad71c289bb08e9
Opcode Fuzzy Hash: 6250ec76a35d91786fe0f3bbb491aaaf262455cd01ad0a4232066028cfa3f1df
Instruction Fuzzy Hash: DA0171B1100609AFEF205F21DD85AAF3A26EB84754F144037F601B62D3C77E8C929E9D

Function 00405E29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,open C:\ProgramData\wvtynvwe\AutoIt3.exe,0079ED20,?,?,?,00000002,open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,0040606D,80000002), ref: 00405E6F
RegCloseKey.ADVAPI32(?,?,0040606D,80000002,Software\Microsoft\Windows\CurrentVersion,open C:\ProgramData\wvtynvwe\AutoIt3.exe,open C:\ProgramData\wvtynvwe\AutoIt3.exe,open C:\ProgramData\wvtynvwe\AutoIt3.exe,?,0079ED20), ref: 00405E7A

Strings

open C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 00405E2C, 00405E60

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CloseQueryValue
String ID: open C:\ProgramData\wvtynvwe\AutoIt3.exe
API String ID: 3356406503-1147314467
Opcode ID: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction ID: a652aa08729c3d21628c8661c06e1e1b2c4f4dfec8f44bbca4e9ccaac311a026
Opcode Fuzzy Hash: fbc34f94f804cf7f8ceee3a94302c0ccfb61d5b85e95000fdd84f5b54f9224ff
Instruction Fuzzy Hash: 1E019A72500609AADF228F20CC09FDB3FA8EF05360F00802AF945A21A0D378DA14CBA8

Function 004055E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D48,Error launching installer), ref: 0040560A
CloseHandle.KERNEL32(?), ref: 00405617

Strings

Error launching installer, xrefs: 004055F4

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
Instruction ID: 62883942ff3fec4e096c12bfbc0e4171e63133af1454ac2aa76c170e6ce59af3
Opcode Fuzzy Hash: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
Instruction Fuzzy Hash: 4DE046F1600209BFEB009FA0ED09F7F7AACEB40744F408820BD14F6190D679A8008AB8

Function 004036FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,004036D5,004034EF,?,?,00000006,00000008,0000000A), ref: 00403717
GlobalFree.KERNEL32(00000000), ref: 0040371E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036FD

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
Instruction ID: c0f64fe77bbbc42f413017ec02fd14b49542df8adbdba9c58a8dfc12e9d6b7a7
Opcode Fuzzy Hash: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
Instruction Fuzzy Hash: 7DE0C2334011209BC621AF04EE0872E777CAF89B23F06842BF8407B36087781C524BCC

Function 00405921 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rage.exe,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405927
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Rage.exe,C:\Users\user\Desktop\Rage.exe,80000000,00000003), ref: 00405935

Strings

C:\Users\user\Desktop, xrefs: 00405921

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 699ee4e888cd28ae38f9bca6902325149b4c823d91dd7122b0a75dbe1f7ac172
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: BED0C7F2409DB0AEE7036314DC04B9F6A48DF16750F1A0466E181A61A5C67C4D424BBD

Function 00405A40 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A50
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A68
CharNextA.USER32(00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A79
lstrlenA.KERNEL32(00000000,?,00000000,00405C9B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A82

Memory Dump Source

Source File: 00000000.00000002.2055378408.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2055350780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055395448.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055464181.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2055872847.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Rage.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: 7766273d4772ca776c7068fad2e72d6e4ea3cdc9eabdeecb7889bf38aa2ec68c
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: F8F0F631200918BFC702DFA5CD40DAEBBA8EF06350B2541B9E844F7210D634EE019FA9

Analysis Process: AutoIt3.exePID: 6436, Parent PID: 2884COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 00215D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00215DA7

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

GetCurrentProcess.KERNEL32(?,002ADC2C,00000000,?,?), ref: 00215ED3
IsWow64Process.KERNEL32(00000000,?,?), ref: 00215EDA
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00215F05
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00215F17
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00215F25
FreeLibrary.KERNEL32(00000000,?,?), ref: 00215F2C
GetSystemInfo.KERNEL32(?,?,?), ref: 00215F51

Strings

|O, xrefs: 00254F80
GetNativeSystemInfo, xrefs: 00215F11
kernel32.dll, xrefs: 00215F00

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2b2d5cab4a92bff5e40714b1aa0307f0826e6d59b581ca2de724dbd6f5bb9597
Instruction ID: 7510206304eac0f8b6ff8f6439b33166a2220a067410cdb8b393e83bde4fc723
Opcode Fuzzy Hash: 2b2d5cab4a92bff5e40714b1aa0307f0826e6d59b581ca2de724dbd6f5bb9597
Instruction Fuzzy Hash: 5BA1C2318AA6D5CFC712DB68BCC91D87F98AB76300B0468D9E4879B261C67849DCCF35

Function 00213312 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,002132EF,?), ref: 00213342
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,002132EF,?), ref: 00213355
GetFullPathNameW.KERNEL32(00007FFF,?,?,002E2418,002E2400,?,?,?,?,?,?,002132EF,?), ref: 002133C1

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

Part of subcall function 002141E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002133E9,002E2418,?,?,?,?,?,?,?,002132EF,?), ref: 00214227

SetCurrentDirectoryW.KERNEL32(?,00000001,002E2418,?,?,?,?,?,?,?,002132EF,?), ref: 00213442
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00253C8A
SetCurrentDirectoryW.KERNEL32(?,002E2418,?,?,?,?,?,?,?,002132EF,?), ref: 00253CCB
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002D31F4,002E2418,?,?,?,?,?,?,?,002132EF), ref: 00253D54
ShellExecuteW.SHELL32(00000000,?,?), ref: 00253D5B

Part of subcall function 0021345A: GetSysColorBrush.USER32(0000000F), ref: 00213465
Part of subcall function 0021345A: LoadCursorW.USER32(00000000,00007F00), ref: 00213474
Part of subcall function 0021345A: LoadIconW.USER32(00000063), ref: 0021348A
Part of subcall function 0021345A: LoadIconW.USER32(000000A4), ref: 0021349C
Part of subcall function 0021345A: LoadIconW.USER32(000000A2), ref: 002134AE
Part of subcall function 0021345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002134C6
Part of subcall function 0021345A: RegisterClassExW.USER32(?), ref: 00213517

Part of subcall function 0021353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00213568
Part of subcall function 0021353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00213589
Part of subcall function 0021353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,002132EF,?), ref: 0021359D
Part of subcall function 0021353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,002132EF,?), ref: 002135A6

Part of subcall function 002138F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002139C3

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00253C84
AutoIt, xrefs: 00253C7F
runas, xrefs: 00253D4F
0$., xrefs: 0021341C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$.$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-3222768738
Opcode ID: aa5e9ce240ad71260f5bc0a5d024ddbed6a01bd6d09322ef48d0ddbd7ece13a7
Instruction ID: 09c39ae615bafa96197d06c6844f9cf07df340300642285a71eaf6ec113bbae2
Opcode Fuzzy Hash: aa5e9ce240ad71260f5bc0a5d024ddbed6a01bd6d09322ef48d0ddbd7ece13a7
Instruction Fuzzy Hash: 2351F831168385EAC705EF60EC59DEE7BE99FA5740F400469F482561A2CF708AADCF62

Function 00235078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0023504E,?,002D98D8,0000000C,002351A5,?,00000002,00000000), ref: 00235099
TerminateProcess.KERNEL32(00000000,?,0023504E,?,002D98D8,0000000C,002351A5,?,00000002,00000000), ref: 002350A0
ExitProcess.KERNEL32 ref: 002350B2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 36f4c2d85e2e77f8dced23ac8f6ccede10654e4be1f5f5866dc046c0953cf131
Instruction ID: 01f7eaf234a3dba7e52098cc6a4747bd26a9a65eb39437faf1f72b9eaeb86af0
Opcode Fuzzy Hash: 36f4c2d85e2e77f8dced23ac8f6ccede10654e4be1f5f5866dc046c0953cf131
Instruction Fuzzy Hash: D3E0B671420658AFCF256F64ED0DE593B69EF45381F004054F81A8A522DF76DD62CFD0

Function 0029B958 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0029BAF7
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029BB0F
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029BB33
_wcslen.LIBCMT ref: 0029BB5F
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029BB73
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029BB95
_wcslen.LIBCMT ref: 0029BC91

Part of subcall function 00280E63: GetStdHandle.KERNEL32(000000F6), ref: 00280E82

_wcslen.LIBCMT ref: 0029BCAA
_wcslen.LIBCMT ref: 0029BCC5
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029BD15
GetLastError.KERNEL32(00000000), ref: 0029BD66
CloseHandle.KERNEL32(?), ref: 0029BD98
CloseHandle.KERNEL32(00000000), ref: 0029BDA9
CloseHandle.KERNEL32(00000000), ref: 0029BDBB
CloseHandle.KERNEL32(00000000), ref: 0029BDCD
CloseHandle.KERNEL32(?), ref: 0029BE42

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: affcf57f3988be9d1a217a8e00b2048f1458c078f19fb7a7489b1d9017f66212
Instruction ID: ca6724a36d18a7ab5c6af5eedfbf4563dbdd407bcd924b5f7a50c24312a91fa0
Opcode Fuzzy Hash: affcf57f3988be9d1a217a8e00b2048f1458c078f19fb7a7489b1d9017f66212
Instruction Fuzzy Hash: 5EF1F1716243019FCB15EF24D991B6ABBE5BF85310F14845DF8894B2A2CB30EC64CF52

Function 0021EE0A Relevance: 21.6, APIs: 14, Instructions: 609windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0021EEB7
timeGetTime.WINMM ref: 0021F0B7
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021F1D8
TranslateMessage.USER32(?), ref: 0021F22B
DispatchMessageW.USER32(?), ref: 0021F239
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0021F24F
Sleep.KERNEL32(0000000A), ref: 0021F261

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 37d575e52bc3097892f3db420671824f99be948d93331dfc39e14451461abf1c
Instruction ID: 0ff6d2634b5bc6467c9004829e3ac3a8fead14c52a4774bbb8cd5373549bfd8a
Opcode Fuzzy Hash: 37d575e52bc3097892f3db420671824f99be948d93331dfc39e14451461abf1c
Instruction Fuzzy Hash: 2F322570624342EFD724DF20C988BAAB7E4BF65300F14456DE8A987291C771E9E4CF92

Function 00213696 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00213690,?,?), ref: 002136FE
KillTimer.USER32(?,00000001,?,?,?,?,?,00213690,?,?), ref: 0021372A
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0021374D
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00213690,?,?), ref: 00213758
CreatePopupMenu.USER32 ref: 0021376C
PostQuitMessage.USER32(00000000), ref: 0021378D

Strings

0$., xrefs: 00253DD1
TaskbarCreated, xrefs: 00213753
0$., xrefs: 00253D83

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$.$0$.$TaskbarCreated
API String ID: 129472671-2258799765
Opcode ID: fb6953a410d4f498f1f2a95de27da4a545c974e32100834c2da865c4197ddea7
Instruction ID: 80eaefdbaf35312533add85c64b4137572d7aeed19cffab9d46da5ba8505dabd
Opcode Fuzzy Hash: fb6953a410d4f498f1f2a95de27da4a545c974e32100834c2da865c4197ddea7
Instruction Fuzzy Hash: 624128B11B4185E7DB18DF38AC4EBFA76EEE721350F001124F5078A2D1CAB48EB98A15

Function 002135AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002135DE
RegisterClassExW.USER32(00000030), ref: 00213608
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00213619
InitCommonControlsEx.COMCTL32(?), ref: 00213636
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00213646
LoadIconW.USER32(000000A9), ref: 0021365C
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0021366B

Strings

AutoIt v3 GUI, xrefs: 002135FA
+, xrefs: 002135C7
TaskbarCreated, xrefs: 0021360E
0, xrefs: 002135C0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 457471e30de67a931c84c9acb22c3041e3b778db85e13d789d588da90ed17f0e
Instruction ID: f5c30992dd1c1a48037342d0e8d5ce8b56043d6f7f8ef3ca748c7be4c224e307
Opcode Fuzzy Hash: 457471e30de67a931c84c9acb22c3041e3b778db85e13d789d588da90ed17f0e
Instruction Fuzzy Hash: 5F21B4B1991258EFDB009F94FC89BDDBBB8FB09700F10511AF512AA2A0DBB555498F90

Function 002509FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025073A: CreateFileW.KERNELBASE(00000000,00000000,?,00250AA4,?,?,00000000,?,00250AA4,00000000,0000000C), ref: 00250757

GetLastError.KERNEL32 ref: 00250B0F
__dosmaperr.LIBCMT ref: 00250B16
GetFileType.KERNELBASE(00000000), ref: 00250B22
GetLastError.KERNEL32 ref: 00250B2C
__dosmaperr.LIBCMT ref: 00250B35
CloseHandle.KERNEL32(00000000), ref: 00250B55
CloseHandle.KERNEL32(?), ref: 00250C9F
GetLastError.KERNEL32 ref: 00250CD1
__dosmaperr.LIBCMT ref: 00250CD8

Strings

H, xrefs: 00250C5D

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 61acb7484e81ef79b35deaf9b50b15915fd7c45473c3e06701d24b25ddcbd506
Instruction ID: b202575d992c3e96b15f7bfaa5fc59e00c97f1548c19310f929abf2dc48e7122
Opcode Fuzzy Hash: 61acb7484e81ef79b35deaf9b50b15915fd7c45473c3e06701d24b25ddcbd506
Instruction Fuzzy Hash: D6A13732A202458FDF199F68ECD6BAE7BA0EB06325F140159FC119F2A1CB309D26CF55

Function 0021522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0021551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00254B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00215539

Part of subcall function 002151BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002151E1

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0021534B
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00254BD7
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00254C18
RegCloseKey.ADVAPI32(?), ref: 00254C5A
_wcslen.LIBCMT ref: 00254CC1
_wcslen.LIBCMT ref: 00254CD0

Strings

\Include\, xrefs: 00215308
\, xrefs: 00254CD6
Software\AutoIt v3\AutoIt, xrefs: 00215341
Include, xrefs: 00254BCE, 00254C0F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 650e295cc43705b8a0215707d74bcbeac29758e7a6f1b7a27c90d38e9a5f0dd9
Instruction ID: 46ae5856a729a089462af2d24b7f6ebed6a860e2f368274c8abc649c415a0e09
Opcode Fuzzy Hash: 650e295cc43705b8a0215707d74bcbeac29758e7a6f1b7a27c90d38e9a5f0dd9
Instruction Fuzzy Hash: DE7170715643419EC310EF65E889DABBBF8FF99341F40046EF845871A0EF709A98CBA1

Function 0021345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00213465
LoadCursorW.USER32(00000000,00007F00), ref: 00213474
LoadIconW.USER32(00000063), ref: 0021348A
LoadIconW.USER32(000000A4), ref: 0021349C
LoadIconW.USER32(000000A2), ref: 002134AE
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002134C6
RegisterClassExW.USER32(?), ref: 00213517

Part of subcall function 002135AB: GetSysColorBrush.USER32(0000000F), ref: 002135DE
Part of subcall function 002135AB: RegisterClassExW.USER32(00000030), ref: 00213608
Part of subcall function 002135AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00213619
Part of subcall function 002135AB: InitCommonControlsEx.COMCTL32(?), ref: 00213636
Part of subcall function 002135AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00213646
Part of subcall function 002135AB: LoadIconW.USER32(000000A9), ref: 0021365C
Part of subcall function 002135AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0021366B

Strings

#, xrefs: 002134ED
AutoIt v3, xrefs: 00213506
0, xrefs: 002134E6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d274beceb6f6c2527b979b17abcc7eaa6baf643202954959f7faad8596d52f2d
Instruction ID: a23b0204ab4d3135c7ab95247dd96217fe1bb224d048a1e6d26655797058e15b
Opcode Fuzzy Hash: d274beceb6f6c2527b979b17abcc7eaa6baf643202954959f7faad8596d52f2d
Instruction Fuzzy Hash: 68214170D90398EBDB109F95FC8DB99BFBDFB08B50F00005AE506AA260C7B545498F90

Function 0021CA50 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021CE8E

Strings

p5., xrefs: 0021CC1C
p3., xrefs: 002615B8
p5., xrefs: 0021CE72
p3., xrefs: 0021CDB2
p3., xrefs: 002615CC
x3., xrefs: 00261570
p3., xrefs: 0021CEAB
x3., xrefs: 002614D1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Init_thread_footer
String ID: p3.$p3.$p3.$p3.$p5.$p5.$x3.$x3.
API String ID: 1385522511-1964687501
Opcode ID: 1072b4fe1e15d902169015f39f3772a68e06624884f861dbb14cf6c68f69fc2a
Instruction ID: 481c51044605f65576129d9e013cba23e84bc7ee3cccf689aa2b21fab497aec2
Opcode Fuzzy Hash: 1072b4fe1e15d902169015f39f3772a68e06624884f861dbb14cf6c68f69fc2a
Instruction Fuzzy Hash: BC32C378A642469FCB24CF54C885EBAB7F5EF54314F28805AE805AB251C774EEF1CB90

Function 0021F680 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D5., xrefs: 0026458D
Variable must be of type 'Object'., xrefs: 0026486A
D5., xrefs: 002645E0
D5.D5., xrefs: 0021F92E
D5., xrefs: 0021FB61
D5., xrefs: 0021F890

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID: D5.$D5.$D5.$D5.$D5.D5.$Variable must be of type 'Object'.
API String ID: 0-44600119
Opcode ID: 1982336acf7b0f94cfda2759eaf192157b12c88d0c39db933af0f6c8d808569c
Instruction ID: f6ba520bb18a2ace03960080d3a1e4a20f572b286bc5359774b84508afa18384
Opcode Fuzzy Hash: 1982336acf7b0f94cfda2759eaf192157b12c88d0c39db933af0f6c8d808569c
Instruction Fuzzy Hash: 20C2DF71A20205DFCB24DF98C990BADB7F1BF19310F248169E855AB3A1D375ADA1CF90

Function 002202F0 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002215A2

Strings

D5., xrefs: 00220A1A
D5., xrefs: 00220667
D5., xrefs: 00265F9D
D5.D5., xrefs: 0022070B
D5., xrefs: 00265FF1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Init_thread_footer
String ID: D5.$D5.$D5.$D5.$D5.D5.
API String ID: 1385522511-4281481159
Opcode ID: c6e312a8dc0163b2d6ffa9dc3ea5abebd7e0c65595104cacbb29bcacd37c55a9
Instruction ID: 9e3e6e9d3c066f7341fb3f6daa5f4ddc9dd1301d12acef70b3c7d08ae4891d3e
Opcode Fuzzy Hash: c6e312a8dc0163b2d6ffa9dc3ea5abebd7e0c65595104cacbb29bcacd37c55a9
Instruction Fuzzy Hash: 2DB2AB70A24361EFDB24CF54E4C4A2AB7E1BB99300F64495DE9858B352D771ECA0CF92

Function 00212A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00212A9B
CoUninitialize.COMBASE ref: 00212B3A
UnregisterHotKey.USER32(?), ref: 00212D1F
DestroyWindow.USER32(?), ref: 002539F5
FreeLibrary.KERNEL32(?), ref: 00253A5A
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00253A87

Strings

close all, xrefs: 00212A96

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fb0a4d8efefae61a61d8157346cf7e7958447affacd2cc31e0da0a9662e1f860
Instruction ID: 0a885c4f0c5cfed830539ad04065353a0fee76eb38d529bde87dd6c8453eff2a
Opcode Fuzzy Hash: fb0a4d8efefae61a61d8157346cf7e7958447affacd2cc31e0da0a9662e1f860
Instruction Fuzzy Hash: BFD19A31721212CFCB29EF14C499BA9F7A0BF15705F1041ADE84A6B251CB70AD7ACF84

Function 002490D5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c2498e3146339f8dc3065cbaac63c129f101ed981d0b5a656a72e7c93cda1f
Instruction ID: 43e649af67c7618116a104dee9bf30606abda1a7fcda968ac5c37e6d6ae165c6
Opcode Fuzzy Hash: d9c2498e3146339f8dc3065cbaac63c129f101ed981d0b5a656a72e7c93cda1f
Instruction Fuzzy Hash: 0AC10BB0D143469FCF19DFA8D845BAE7FB4AF4A310F140199E914A7392C77099A1CF61

Function 00212735 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00213205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00213236
Part of subcall function 00213205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0021323E
Part of subcall function 00213205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00213249
Part of subcall function 00213205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00213254
Part of subcall function 00213205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0021325C
Part of subcall function 00213205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00213264

Part of subcall function 0021318C: RegisterWindowMessageW.USER32(00000004,?,00212906), ref: 002131E4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002129AC
OleInitialize.OLE32 ref: 002129CA
CloseHandle.KERNEL32(00000000,00000000), ref: 002539E7

Strings

0$., xrefs: 002129D0
$., xrefs: 002127AC
(&., xrefs: 002128D4
@(., xrefs: 00212906

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&.$0$.$@(.$$.
API String ID: 1986988660-2181936470
Opcode ID: f664db8a76ab7c8a6d0eeb3c8ad04503eb35054f92c5243cee98604ed64ebee5
Instruction ID: ac7cf924aac9a9872264c2cc134b4cf9d27dabf932fe09d86c273ee1fe160476
Opcode Fuzzy Hash: f664db8a76ab7c8a6d0eeb3c8ad04503eb35054f92c5243cee98604ed64ebee5
Instruction Fuzzy Hash: 9C719EB09A1284CF8788DF69BEAD6553AEDFB59304390412AE40BCB2A1EB70445DCF64

Function 0021353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00213568
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00213589
ShowWindow.USER32(00000000,?,?,?,?,?,?,002132EF,?), ref: 0021359D
ShowWindow.USER32(00000000,?,?,?,?,?,?,002132EF,?), ref: 002135A6

Strings

edit, xrefs: 00213583
AutoIt v3, xrefs: 00213560, 00213565, 00213566

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 29a5e0459b1556e395a6ef8fc4719b49528c4c5c77788f19e1ede5df8ef56a9e
Instruction ID: dc2a58fa33dae341418d3d76cf211366227d2eac3ddec1f97047fe1bf6e52859
Opcode Fuzzy Hash: 29a5e0459b1556e395a6ef8fc4719b49528c4c5c77788f19e1ede5df8ef56a9e
Instruction Fuzzy Hash: 8EF017706802D4BAE72507137C8CE376FBDD7C7F10B00005AB906AA5A0D6791859DEB0

Function 00215F59 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00255110

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00216049

Strings

AutoIt - , xrefs: 00215FBD
Line %d: , xrefs: 0025518E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: f9b316130ccd469d7e5267e383369104a391e9b33661c0fbd12dcacdc5377d3d
Instruction ID: c5d5a2a5094776317031708229048898857541e6fba6d8ed746722cd32b97b82
Opcode Fuzzy Hash: f9b316130ccd469d7e5267e383369104a391e9b33661c0fbd12dcacdc5377d3d
Instruction Fuzzy Hash: BD41F871028315ABC311EB60DC85ADF77ECAFA5320F00495AF489920A1DB709AADCF92

Function 002155F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002155EB,SwapMouseButtons,00000004,?), ref: 0021561C
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002155EB,SwapMouseButtons,00000004,?), ref: 0021563D
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002155EB,SwapMouseButtons,00000004,?), ref: 0021565F

Strings

Control Panel\Mouse, xrefs: 0021561A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 18de85036ec732186bae9a38a18abbe9877a6a48cf1554faf42c6c4f779d1713
Instruction ID: 582bcfa182d2042a794ace27976f90da1e837cc675e64035a3dcd6ded8c3be9c
Opcode Fuzzy Hash: 18de85036ec732186bae9a38a18abbe9877a6a48cf1554faf42c6c4f779d1713
Instruction Fuzzy Hash: 36115AB1620658FFDB208F64DC44EEFB7FCEF61744B4044A9B905D7120E6719E9497A0

Function 00213A1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00254115

Part of subcall function 0021557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00215558,?,?,00254B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0021559E

Part of subcall function 002139DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002139FD

Strings

`u-, xrefs: 0025410E
X, xrefs: 002540E3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u-
API String ID: 779396738-3193000344
Opcode ID: c1452ea3f2ab0c231f21c409b9190474f5deea63147756ad6a96c83732e6ed35
Instruction ID: f77e5fdccd8212578db88e3771a7a034a265692dd56db336c0c2771f46c76426
Opcode Fuzzy Hash: c1452ea3f2ab0c231f21c409b9190474f5deea63147756ad6a96c83732e6ed35
Instruction Fuzzy Hash: 6921C671A202589BCB11DF94D8057EE7BFD9F59304F00405AE905A7381DBF85ADD8FA1

Function 0023016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002309F8

Part of subcall function 00233634: RaiseException.KERNEL32(?,?,?,00230A1A,?,00000000,?,?,?,?,?,?,00230A1A,00000000,002D9758,00000000), ref: 00233694

__CxxThrowException@8.LIBVCRUNTIME ref: 00230A15

Strings

Unknown exception, xrefs: 00230A22

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2627cd1965b847cb78f67f368bd13151c09f4c34e3c08508aca3aa72fbcf3e73
Instruction ID: ab42a90d4eebf8155d8231458711de780ef3a6206ec8632270879caaed4213c3
Opcode Fuzzy Hash: 2627cd1965b847cb78f67f368bd13151c09f4c34e3c08508aca3aa72fbcf3e73
Instruction Fuzzy Hash: 6BF0C8F453030E779B00BE64D8A6A9EB77C5E00B50F604121B928915E2EB70EE76C9E0

Function 002988B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00298C52
TerminateProcess.KERNEL32(00000000), ref: 00298C59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00298E3A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 09538d7f10ca3011ac31a1a530330483c5a603e23782aa7d2e43fb9c929ec39f
Instruction ID: e51b2b89003b9a44917757a8f58252c9882ac9846fa19f4ed3476679f9afedc4
Opcode Fuzzy Hash: 09538d7f10ca3011ac31a1a530330483c5a603e23782aa7d2e43fb9c929ec39f
Instruction Fuzzy Hash: F8126B719183419FCB14DF28C494B6ABBE5BF89314F18895DE8898B292CB30E955CF92

Function 00216BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00216CA1
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00216CB1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e64432800b024e6f9f742abd6fbf27f9b3c021f9c8d534a2f6c1853cac1dd8a8
Instruction ID: ca6bfdfa2aac34eef1a830f5d0dd9cf021d6d3098b88c8bb6c0266c416dc814e
Opcode Fuzzy Hash: e64432800b024e6f9f742abd6fbf27f9b3c021f9c8d534a2f6c1853cac1dd8a8
Instruction Fuzzy Hash: 79314971A1061AEBDB14CF68C988BDDB7F5FB14314F14862AE81597240C7B1BEA4CBD0

Function 0022FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00215F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00216049

KillTimer.USER32(?,00000001,?,?), ref: 0022FD44
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0022FD53
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0026FDD3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: e6f030c6910ab61362db63fd32e24ad2abcf238eff3f63824f4b84a8629fb904
Instruction ID: 6d517fcdd7408b6d1514fd403a3aadd19030397338f8b97a8c085502cf12c90e
Opcode Fuzzy Hash: e6f030c6910ab61362db63fd32e24ad2abcf238eff3f63824f4b84a8629fb904
Instruction Fuzzy Hash: 3431E570914354AFEB62CF209985BE6BBEC9F02308F0004AEE5DA57241C7746AC8CB51

Function 00248A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,0024895C,?,002D9CE8,0000000C), ref: 00248A94
GetLastError.KERNEL32(?,0024895C,?,002D9CE8,0000000C), ref: 00248A9E
__dosmaperr.LIBCMT ref: 00248AC9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 6ffd2cf037a9f8f64fe84bb2db47c216c0bfd07cd6b7633812ff132473d299bd
Instruction ID: e482a5fe053b4401fe4b1d7e0bb0a738e702f9acbb20e69632290e1c44e3ba23
Opcode Fuzzy Hash: 6ffd2cf037a9f8f64fe84bb2db47c216c0bfd07cd6b7633812ff132473d299bd
Instruction Fuzzy Hash: A4016F3263557057D72C2734688577E678A4B81734F2D026BF8189B5D3DEF0CCE48690

Function 0024971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,002497CA,FF8BC369,00000000,00000002,00000000), ref: 00249754
GetLastError.KERNEL32(?,002497CA,FF8BC369,00000000,00000002,00000000,?,00245EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00236F61), ref: 0024975E
__dosmaperr.LIBCMT ref: 00249765

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: bf20627b49acec3d219e02a827fe947224c8445cd0e152aa59345182fb2e7c94
Instruction ID: 4f65ba319b67859a9a6e2e76ed524444a8b43d95c85dee5ae43a3adfe18fd0cb
Opcode Fuzzy Hash: bf20627b49acec3d219e02a827fe947224c8445cd0e152aa59345182fb2e7c94
Instruction Fuzzy Hash: 4E014072A30115AFCB099F95EC45C5FB72DDB85330B240255F8158B191EA70DD61CF90

Function 00222AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00222FB6

Strings

CALL, xrefs: 00222F86

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e033f44e25584a793f0560454fde1ec8876010813d2383fcb19e2b0171615167
Instruction ID: 337c1591f13f79ca5e237a42e01f3e8286cca107aeb41238193c68b6fb7e9b38
Opcode Fuzzy Hash: e033f44e25584a793f0560454fde1ec8876010813d2383fcb19e2b0171615167
Instruction Fuzzy Hash: B422BB70628202EFC714DF54E480B2ABBF1BF98314F24895DF4868B361D772E9A5CB52

Function 00221940 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bba8d88f2a25513cd42567a05a99749af598a82f45fdfa7b32ca1aca7eeceb
Instruction ID: 5b539f1f0bbd584022f1667caa398e7fda251866cdd1cce9a096c5c8a93b0f1a
Opcode Fuzzy Hash: 76bba8d88f2a25513cd42567a05a99749af598a82f45fdfa7b32ca1aca7eeceb
Instruction Fuzzy Hash: B8321F70A20216EFDB20DFA4D885FAEB7B4EF10310F048459E855AB2A1D771ADB4CF91

Function 002141E6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002133E9,002E2418,?,?,?,?,?,?,?,002132EF,?), ref: 00214227

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

Strings

$., xrefs: 00214241

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: $.
API String ID: 4019309064-3373234421
Opcode ID: fd4681343910f172e9813647b489a5572cfe025371f9114b0e21a32f19449970
Instruction ID: 2816f9eb78188f5258d830addbf5e9b7fa89b822bf486c0dc6b0ecaf3aa2dfb4
Opcode Fuzzy Hash: fd4681343910f172e9813647b489a5572cfe025371f9114b0e21a32f19449970
Instruction Fuzzy Hash: 3611A175630209DBCB10FBA49845EDE73ECAF29350B4000A5B949D7281DEB4A7E88F51

Function 002138F2 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002139C3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c472efd6e6e9a7f1b71b66dc4a39ff6ac577a6d1a0a4cc4175d05bde5cd40b63
Instruction ID: 2d6fc5c248506703c24495da978be0bc309f266761906f18f14a1f2fd9efd214
Opcode Fuzzy Hash: c472efd6e6e9a7f1b71b66dc4a39ff6ac577a6d1a0a4cc4175d05bde5cd40b63
Instruction Fuzzy Hash: AE315070514741CFD720DF24D889797BBE8FB59718F00092EE59A87280D7B5A998CF52

Function 00216E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00213B33,?,00008000), ref: 00216E80
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00213B33,?,00008000), ref: 002559A2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: de2fe4c428ed8643d6030f14b3b13e71828c334700f9e392cc7db59cce45f243
Instruction ID: 51fe3e951f2677cbd89c06b5c54116ca738fff13ff785dc9e0726b33ff6571c7
Opcode Fuzzy Hash: de2fe4c428ed8643d6030f14b3b13e71828c334700f9e392cc7db59cce45f243
Instruction Fuzzy Hash: 44018031245221BAE3300A26DC0EF9B7F98EF12774F118310BE996A1E0CBB458A4CB90

Function 002132A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 002132C4

Part of subcall function 0021326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00213282
Part of subcall function 0021326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00213299

Part of subcall function 00213312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,002132EF,?), ref: 00213342
Part of subcall function 00213312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,002132EF,?), ref: 00213355
Part of subcall function 00213312: GetFullPathNameW.KERNEL32(00007FFF,?,?,002E2418,002E2400,?,?,?,?,?,?,002132EF,?), ref: 002133C1
Part of subcall function 00213312: SetCurrentDirectoryW.KERNEL32(?,00000001,002E2418,?,?,?,?,?,?,?,002132EF,?), ref: 00213442

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 002132FE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 448a1cb5e38f5a33abb6f705dd14ef1fd7dd3287fef69ede2fda8c8c70c3d2ff
Instruction ID: 4a3eed90f2d379e199d4e156da4dd317943c5d73c0f0d1daefa8727ccbfed048
Opcode Fuzzy Hash: 448a1cb5e38f5a33abb6f705dd14ef1fd7dd3287fef69ede2fda8c8c70c3d2ff
Instruction Fuzzy Hash: 88F054719E4384DFE300AF60FC8EB6537E9A715705F504486B51A8D5E2CFB985A48F44

Function 002961FF Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0029628D

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 498ee51fbd034fc92570fdd8b833c9ea42c27b29ababbd19255b0ecce2379d9e
Instruction ID: ef22c7262d5cc2cb512c760a1d5bd42d52392e59732e4fcce56cefba7695edd1
Opcode Fuzzy Hash: 498ee51fbd034fc92570fdd8b833c9ea42c27b29ababbd19255b0ecce2379d9e
Instruction Fuzzy Hash: 4A718A70A20216AFDF24DF94C8849BAB7F5FF59300F208069E9459B291D771AD61CB90

Function 0023F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e027878fd6e06fe2150e9be1bf67f0bbc4fe003902937a4daab5e5a7e508a7
Instruction ID: 9a781c0cf8706432912384864dfa568308c6d50444fefea9fce04a42d9f2ca17
Opcode Fuzzy Hash: 74e027878fd6e06fe2150e9be1bf67f0bbc4fe003902937a4daab5e5a7e508a7
Instruction Fuzzy Hash: E051E5B5E20205EFDB50CF68E940E6A7BB1EB85364F198168EC489B392C771DD52CB90

Function 0027FBCA Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0027FBE3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 42fa32478ae2ce696d3c2542da5c5ef21d47ea4c687ad4a2bb7fe5411c285a93
Instruction ID: a1545e5710080905fa6d5c4e2efcb5aa0cbf336601b014fe746af6a3082ddfe5
Opcode Fuzzy Hash: 42fa32478ae2ce696d3c2542da5c5ef21d47ea4c687ad4a2bb7fe5411c285a93
Instruction Fuzzy Hash: 964193B6A10209AFCB11EFA4C9819AF77B8EF58314F11853EE91A97241EB70DA54CB50

Function 0021636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00216332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0021637F,?,?,002160AA,?,00000001,?,?,00000000), ref: 0021633E
Part of subcall function 00216332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00216350
Part of subcall function 00216332: FreeLibrary.KERNEL32(00000000,?,?,0021637F,?,?,002160AA,?,00000001,?,?,00000000), ref: 00216362

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002160AA,?,00000001,?,?,00000000), ref: 0021639F

Part of subcall function 002162FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002554C3,?,?,002160AA,?,00000001,?,?,00000000), ref: 00216304
Part of subcall function 002162FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00216316
Part of subcall function 002162FB: FreeLibrary.KERNEL32(00000000,?,?,002554C3,?,?,002160AA,?,00000001,?,?,00000000), ref: 00216329

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 501a93f9441b67ee2a5c0785a993c3aa8cbe66435998730b0ac1b37282fd77f6
Instruction ID: 71e2616a3f59892e74acba3691d1f811315b13a858bb7208fbb08b8ff575a277
Opcode Fuzzy Hash: 501a93f9441b67ee2a5c0785a993c3aa8cbe66435998730b0ac1b37282fd77f6
Instruction Fuzzy Hash: 85112731620215ABCF14FF20C80ABED77E59F60B11F508429F853A60C1DFB59EA59F50

Function 00248792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 002487D0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 516e65b805c26c33863a301884115e0c71bef5d5cb3b45a0b3aaa1f3de16877a
Instruction ID: 80b0c5778dffd4dc767baeee661e0af7ea3ac7afb537c2fe0c284788032dde4d
Opcode Fuzzy Hash: 516e65b805c26c33863a301884115e0c71bef5d5cb3b45a0b3aaa1f3de16877a
Instruction Fuzzy Hash: 48115A7591410AAFCF0ADF58E940A9E7BF5EF48314F104069FC08AB311DA30EA21CBA4

Function 0021B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00216B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0021B0AC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: dd11deb2b56066fcb1c6317c5325a108ebdee586325557a7489d9217cebad490
Instruction ID: 4c08bb5f7ef1048e74caca2a3b5629a98a3f2a4f0f8425d4a0a4b17a425ac0b2
Opcode Fuzzy Hash: dd11deb2b56066fcb1c6317c5325a108ebdee586325557a7489d9217cebad490
Instruction Fuzzy Hash: 65114C31210705DFD721CF15D480BA7B7F9EF58354F10C42DE9AA8BA50C7B1A995CB60

Function 00245390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,002431B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0024504E

_free.LIBCMT ref: 002453FC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
Instruction ID: 171bf2b12c11b544822e0cc571b0d456c71613a3a8f6d01390d6a1ee48d585e0
Opcode Fuzzy Hash: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
Instruction Fuzzy Hash: E00166B3214705ABE3258E259841A5AFBDCEB89370F250A6DE1C483281EAB0A845CA70

Function 0023E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
Instruction ID: b3445b25e908c883b6f931858965ba9af960d2565c833c4acd580d72bec27be2
Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
Instruction Fuzzy Hash: 48F02DB2530B2097DB353E769C0575A33989F41735F110B15F865921D1DFB0D82A8F92

Function 0021B25F Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0021B269

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 41857fa16978e823efbc9f025671a5b1dff55116fb35f6b10a015bb473353f75
Instruction ID: 17cb98d70e03b4d394c8f37d65fb0d1005dd23029796ca61a54ee25293a22063
Opcode Fuzzy Hash: 41857fa16978e823efbc9f025671a5b1dff55116fb35f6b10a015bb473353f75
Instruction Fuzzy Hash: 73F02DB25107047EC7105F28CC02E97BBA4EF54360F10822AFA19CB1D0DB31E4608BA0

Function 0024500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,002431B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0024504E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02f4c7d47f723c9d033cc5ceefc78f60fb2961375e6340695441a68cc1417e8b
Instruction ID: 7801988a4f3316be47733992b0d01aa55e4c391811242ce75086dd50f1bfe655
Opcode Fuzzy Hash: 02f4c7d47f723c9d033cc5ceefc78f60fb2961375e6340695441a68cc1417e8b
Instruction Fuzzy Hash: 6EF0E935A35D35A7DB395E229C05F5A374CAF497A1F185015BC999A192CA70DC208AE0

Function 00243BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00236A99,?,0000015D,?,?,?,?,002385D0,000000FF,00000000,?,?), ref: 00243BE2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 88251bf4c05d58d3ee66cb6f21b012c5ebc4b30c3e39385c4834b1f4e41af969
Instruction ID: bd71dce6751245fb9dee9c8c5094ee2e51efdaf80397ea0425e7a4e55d4cf57d
Opcode Fuzzy Hash: 88251bf4c05d58d3ee66cb6f21b012c5ebc4b30c3e39385c4834b1f4e41af969
Instruction Fuzzy Hash: 5FE02B3163422297D724AE76AC06F5B768CDF417E4F150121FC0AD60D0DB60DD2089E1

Function 002163DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4e187bebb9d157d91d5b39e424ee48f939e8eb486e51a63516fd7e305421ff
Instruction ID: 72dd019a997b13cbb2d0dcd2bc34fceeef98a08b97d07828bcb4ac7ae68a2440
Opcode Fuzzy Hash: 4b4e187bebb9d157d91d5b39e424ee48f939e8eb486e51a63516fd7e305421ff
Instruction Fuzzy Hash: 47F03071121712CFCB349F64D498896BBE5FF14316364897EE5D782520C771A894DF50

Function 00266A79 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00266A84

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c74d7dccc2f7e84d4d85cf1989d359464e82f8b87dab7f09dde6bab7661a59d9
Instruction ID: 9a72da6fd650d14e77c22c2f2c19015848cc288611fc2ea68f398a0273772503
Opcode Fuzzy Hash: c74d7dccc2f7e84d4d85cf1989d359464e82f8b87dab7f09dde6bab7661a59d9
Instruction Fuzzy Hash: A2F0E5B1B342016AE7205EB4A819BA2B7E4AB12314F14890AD8C982181C7F554F497A2

Function 00265004 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0026500F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 6412a0ae6ecd37d4b62abd6a430ba8f2e1e73ab5a76ca7c94f9c94e1b993e723
Instruction ID: 1a2cf42bddc16c21722a288c025d6a554a8634b701925c41058a495d5c5833e2
Opcode Fuzzy Hash: 6412a0ae6ecd37d4b62abd6a430ba8f2e1e73ab5a76ca7c94f9c94e1b993e723
Instruction Fuzzy Hash: 82F06571A202149BDF20DF94E881B9DB7F4BF15361F104429E899DB341D67699B08F90

Function 0021653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00216558

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
Instruction ID: de424f07c4390cf330d40a969774f585084e15c100fc187a0630053232fefe43
Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
Instruction Fuzzy Hash: 49F0587141020DFFDF04CF80C941E9E7BB9FB04308F208445F9158A151D336DA21EBA0

Function 0027D4BF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,002541AF,002D4600,00000002), ref: 0027D4E6

Part of subcall function 0027D3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0027D4D9,?,?,?), ref: 0027D419
Part of subcall function 0027D3F7: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0027D4D9,?,?,?,?,002541AF,002D4600,00000002), ref: 0027D42E
Part of subcall function 0027D3F7: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0027D4D9,?,?,?,?,002541AF,002D4600,00000002), ref: 0027D43A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: e31b1533fb8a36268061bac3e30134ce6bd4e03b5745f3d200c018db273601e7
Instruction ID: 728047bcea0e65a8aa5d5004fe90b94ea51cf68c1aa3cd2d17c4ad16feb65643
Opcode Fuzzy Hash: e31b1533fb8a36268061bac3e30134ce6bd4e03b5745f3d200c018db273601e7
Instruction Fuzzy Hash: E8E06D76500708EFC7219F5ADC048AAB7F8FF81321710852FF99A82510D7B1EA14DF60

Function 0021388E Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 002138EA

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 60a8c7f99c250e21153112a6a1c2d803c82dafa79a57a0997e6827a348c29538
Instruction ID: b88f173e3ff9c597a62f86e47ab1f7ec6b56ee3c1174e16a7a1ed5c6d03b6ac2
Opcode Fuzzy Hash: 60a8c7f99c250e21153112a6a1c2d803c82dafa79a57a0997e6827a348c29538
Instruction Fuzzy Hash: B6F03770914358DFE752DF24EC4A7D57BFCAB05708F0000E5A5859A182D774578CCF51

Function 002139DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002139FD

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fa4ce604db763e7092cec1c70816d53854a7f33c43c501f1fe4746cb53a13521
Instruction ID: f5fa5998ce3a5c1c7adfd15371b5f41e63e9e84e0b58952a5e25094fa157737f
Opcode Fuzzy Hash: fa4ce604db763e7092cec1c70816d53854a7f33c43c501f1fe4746cb53a13521
Instruction Fuzzy Hash: 8CE0C276A002245BCB20E2989C0AFEA77EDDFC9790F0400B1FC09D7248DEB4ED84CA90

Function 00264941 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0026494D

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8f94b91de263290469ed6a7476ecff10c293aac69619ba6a32b34dfa41940838
Instruction ID: 26f4cd844764c0dbb97d0e9e948d2b035feacb527912c0d29e9613920d53d335
Opcode Fuzzy Hash: 8f94b91de263290469ed6a7476ecff10c293aac69619ba6a32b34dfa41940838
Instruction Fuzzy Hash: FBE08672F10115A7CF20CEE4A891BADB7B4BF25352F100161E959FA111C6239D718AA1

Function 0025073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00250AA4,?,?,00000000,?,00250AA4,00000000,0000000C), ref: 00250757

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7fe33caeb267d44adf8dd4a4a06199209f16e447d4c667970da883c455ea9110
Instruction ID: 13b0505deeab42c8cb423434a91f6899ba14c6f3a6d8b99cf422bd11dd877a32
Opcode Fuzzy Hash: 7fe33caeb267d44adf8dd4a4a06199209f16e447d4c667970da883c455ea9110
Instruction Fuzzy Hash: 40D06C3210020DBBDF028F84ED06EDA3BAAFB48714F014000BE5856020C736E821AB90

Function 00287DA4 Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00216E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00213B33,?,00008000), ref: 00216E80

GetLastError.KERNEL32(00000002,00000000), ref: 00288038

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 880c8dab720c8cebb303ef1dd12088578d648b2ff2dc0b149f1a15efaea11126
Instruction ID: c26a0eaf185e542a90726149c4a741d2ba3386d5bfc7ffb4de5847f32fec496b
Opcode Fuzzy Hash: 880c8dab720c8cebb303ef1dd12088578d648b2ff2dc0b149f1a15efaea11126
Instruction Fuzzy Hash: 2681BE346283028FC715EF24C491BAEB7E1AFA8310F14455DF9865B292CB30EDA4CF92

Function 00217953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00253A1C), ref: 00217973

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ae571df75afff453cc48010fc45713bc1bf158b904a27f1d92060ab0fbbfffb9
Instruction ID: 121d5198560fa13674189a9dd6928d03845219b3bc3e47a711e1b762004a936e
Opcode Fuzzy Hash: ae571df75afff453cc48010fc45713bc1bf158b904a27f1d92060ab0fbbfffb9
Instruction Fuzzy Hash: 19E09275814B12DFC7314F1AE804452FBF4FEE23613204A2FD0E682660D7B0589ACB50

Non-executed Functions

Function 0022FC8A Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0022FC94
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0026FC58
IsIconic.USER32(00000000), ref: 0026FC61
ShowWindow.USER32(00000000,00000009), ref: 0026FC6E
SetForegroundWindow.USER32(00000000), ref: 0026FC78
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0026FC8E
GetCurrentThreadId.KERNEL32 ref: 0026FC95
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0026FCA1
AttachThreadInput.USER32(?,00000000,00000001), ref: 0026FCB2
AttachThreadInput.USER32(?,00000000,00000001), ref: 0026FCBA
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0026FCC2
SetForegroundWindow.USER32(00000000), ref: 0026FCC5
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026FCDA
keybd_event.USER32(00000012,00000000), ref: 0026FCE5
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026FCEF
keybd_event.USER32(00000012,00000000), ref: 0026FCF4
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026FCFD
keybd_event.USER32(00000012,00000000), ref: 0026FD02
MapVirtualKeyW.USER32(00000012,00000000), ref: 0026FD0C
keybd_event.USER32(00000012,00000000), ref: 0026FD11
SetForegroundWindow.USER32(00000000), ref: 0026FD14
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0026FD3B

Strings

Shell_TrayWnd, xrefs: 0026FC53

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d118429ea41a3d5fa52d212cc79cb87813951cdff006adefaeb7844afebc875a
Instruction ID: 48106e3a928c6f7a54ceef4179f4a8bbae94634fcb65d0fd5059e47d0a97d2ab
Opcode Fuzzy Hash: d118429ea41a3d5fa52d212cc79cb87813951cdff006adefaeb7844afebc875a
Instruction Fuzzy Hash: 97319671A502187BEF206BB56D4DF7F7E6CEB45B50F100066FA01E61D0DAB05D50AAA0

Function 00271A91 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00271F53: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00271F9D
Part of subcall function 00271F53: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00271FCA
Part of subcall function 00271F53: GetLastError.KERNEL32 ref: 00271FDA

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00271B16
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00271B38
CloseHandle.KERNEL32(?), ref: 00271B49
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00271B61
GetProcessWindowStation.USER32 ref: 00271B7A
SetProcessWindowStation.USER32(00000000), ref: 00271B84
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00271BA0

Part of subcall function 0027194F: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00271A8C), ref: 00271964
Part of subcall function 0027194F: CloseHandle.KERNEL32(?,?,00271A8C), ref: 00271979

Strings

default, xrefs: 00271B9B
winsta0, xrefs: 00271B5C
, xrefs: 00271AEA
j-, xrefs: 00271C22

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$j-
API String ID: 22674027-1767079194
Opcode ID: ef69b83ac21880fd242e7272627962a8a0b8f8395472a641b9091a2a441609f9
Instruction ID: 5cb582e57937b079b5e7840af108c720aa390ff73fcd099ea8345fe8d185b99c
Opcode Fuzzy Hash: ef69b83ac21880fd242e7272627962a8a0b8f8395472a641b9091a2a441609f9
Instruction Fuzzy Hash: BF818F7195020AAFDF219FA9DC49BEE7BBDFF05300F14801AF919A61A0DB718965CF21

Function 002713F2 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00271989: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002719A4
Part of subcall function 00271989: GetLastError.KERNEL32(?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719B0
Part of subcall function 00271989: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719BF
Part of subcall function 00271989: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719C6
Part of subcall function 00271989: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002719DD

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0027145C
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00271490
GetLengthSid.ADVAPI32(?), ref: 002714A7
GetAce.ADVAPI32(?,00000000,?), ref: 002714E1
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002714FD
GetLengthSid.ADVAPI32(?), ref: 00271514
GetProcessHeap.KERNEL32(00000008,00000008), ref: 0027151C
HeapAlloc.KERNEL32(00000000), ref: 00271523
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00271544
CopySid.ADVAPI32(00000000), ref: 0027154B
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0027157A
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0027159C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002715AE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002715D5
HeapFree.KERNEL32(00000000), ref: 002715DC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002715E5
HeapFree.KERNEL32(00000000), ref: 002715EC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002715F5
HeapFree.KERNEL32(00000000), ref: 002715FC
GetProcessHeap.KERNEL32(00000000,?), ref: 00271608
HeapFree.KERNEL32(00000000), ref: 0027160F

Part of subcall function 00271A23: GetProcessHeap.KERNEL32(00000008,00271441,?,00000000,?,00271441,?), ref: 00271A31
Part of subcall function 00271A23: HeapAlloc.KERNEL32(00000000,?,00000000,?,00271441,?), ref: 00271A38
Part of subcall function 00271A23: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00271441,?), ref: 00271A47

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 20da37b4b91617bb3b786c38bded12f364f4af1ee1e29c05c651bc2e011657a0
Instruction ID: b72dc484247b13185fa29a03c5fa2fdea3d500ef86fd755fc778e2dc037d8ff9
Opcode Fuzzy Hash: 20da37b4b91617bb3b786c38bded12f364f4af1ee1e29c05c651bc2e011657a0
Instruction Fuzzy Hash: 617151B191020AEBDF10DFA9DC48FEEBBB9FF45310F148115E91AA7190DB719A25CB60

Function 0028F45C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002ADCD0), ref: 0028F486
IsClipboardFormatAvailable.USER32(0000000D), ref: 0028F494
GetClipboardData.USER32(0000000D), ref: 0028F4A0
CloseClipboard.USER32 ref: 0028F4AC
GlobalLock.KERNEL32(00000000), ref: 0028F4E4
CloseClipboard.USER32 ref: 0028F4EE
GlobalUnlock.KERNEL32(00000000), ref: 0028F519
IsClipboardFormatAvailable.USER32(00000001), ref: 0028F526
GetClipboardData.USER32(00000001), ref: 0028F52E
GlobalLock.KERNEL32(00000000), ref: 0028F53F
GlobalUnlock.KERNEL32(00000000), ref: 0028F57F
IsClipboardFormatAvailable.USER32(0000000F), ref: 0028F595
GetClipboardData.USER32(0000000F), ref: 0028F5A1
GlobalLock.KERNEL32(00000000), ref: 0028F5B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0028F5D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028F5F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0028F62F
GlobalUnlock.KERNEL32(00000000), ref: 0028F650
CountClipboardFormats.USER32 ref: 0028F671
CloseClipboard.USER32 ref: 0028F6B6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9942a419113a873e0ebda47ecd551b29a884faa6b3616dae5e6b6b1ac7ed3fba
Instruction ID: 1ef8edb8408ee735828b142db1a328434076e0f333e510916c6edb08ddf285b6
Opcode Fuzzy Hash: 9942a419113a873e0ebda47ecd551b29a884faa6b3616dae5e6b6b1ac7ed3fba
Instruction Fuzzy Hash: 2361BC342113029FD310FF20E988F6A7BE8AF95714F044569F856872E2DF31E955CB62

Function 002872E9 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00287318
FindClose.KERNEL32(00000000), ref: 0028736C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002873A8
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002873CF

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

FileTimeToSystemTime.KERNEL32(?,?), ref: 0028740C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00287439

Strings

%02d, xrefs: 0028755A, 00287564, 002875B4, 00287604, 00287654, 002876A4
%03d, xrefs: 002876FC
%4d%02d%02d%02d%02d%02d%03d, xrefs: 0028748C
%4d%02d%02d%02d%02d%02d, xrefs: 002874C4
%4d, xrefs: 0028750B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 59f0cb0d2992625af0e8ecfac36c82098bd04c601d9701fd26c195f509f8b278
Instruction ID: c83bf03279c687beba0077b48b723a251efaf27be04b435289f87d979df4584f
Opcode Fuzzy Hash: 59f0cb0d2992625af0e8ecfac36c82098bd04c601d9701fd26c195f509f8b278
Instruction Fuzzy Hash: 26D15D72518344AFC310EFA4C895EBFB7FCAF98704F44091AF98586192EB74D954CB62

Function 00284678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0028469A
_wcslen.LIBCMT ref: 002846C7
CreateDirectoryW.KERNEL32(?,00000000), ref: 002846F7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00284718
RemoveDirectoryW.KERNEL32(?), ref: 00284728
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002847AF
CloseHandle.KERNEL32(00000000), ref: 002847BA
CloseHandle.KERNEL32(00000000), ref: 002847C5

Strings

\??\%s, xrefs: 002846B5
\, xrefs: 002846D1
:, xrefs: 002846DC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7dc3fa67d7479e9d07e126657af929d74383682f47fb9462f53a5d5e76b16d23
Instruction ID: a0642e554ef20b26c884bddd1a9fd9c73d9ad1c72b97a0727938b7ccb46ddd7e
Opcode Fuzzy Hash: 7dc3fa67d7479e9d07e126657af929d74383682f47fb9462f53a5d5e76b16d23
Instruction Fuzzy Hash: 3331D87551021AABDB21EF60DC49FEB77BCEF8A740F1001B5F905D20A0EB7496548F24

Function 0028A0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0028A11B
FindNextFileW.KERNEL32(00000000,?), ref: 0028A176
FindClose.KERNEL32(00000000), ref: 0028A181
FindFirstFileW.KERNEL32(*.*,?), ref: 0028A19D
SetCurrentDirectoryW.KERNEL32(?), ref: 0028A1ED
SetCurrentDirectoryW.KERNEL32(002D7B94), ref: 0028A20B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0028A215
FindClose.KERNEL32(00000000), ref: 0028A222
FindClose.KERNEL32(00000000), ref: 0028A232

Part of subcall function 0027E2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0027E2C9

Strings

*.*, xrefs: 0028A198

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7ac23dc67ba76040042895d5f6ca7e3dd3a0b44552dd9ac5cdd19b12e83b4264
Instruction ID: b4fc96149dda564ce1fb54bd9a90119e7beab876e7f01668030d11e73e501914
Opcode Fuzzy Hash: 7ac23dc67ba76040042895d5f6ca7e3dd3a0b44552dd9ac5cdd19b12e83b4264
Instruction Fuzzy Hash: 3F31F23511221A6BEF20BFA4AC09ADE73AC9F06320F100193EC15A21E1EF75DE65CF61

Function 0029C7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0029D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029C00D,?,?), ref: 0029D314
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D350
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D3C7
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029C89D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0029C908
RegCloseKey.ADVAPI32(00000000), ref: 0029C92C
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0029C98B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0029CA46
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0029CAB3
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0029CB48
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0029CB99
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0029CC42
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0029CCE1
RegCloseKey.ADVAPI32(00000000), ref: 0029CCEE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 793432684b173d6de12d0621b3a1804992075fb8a77855f5861eafb5644d1220
Instruction ID: b978f576adf002d83873ab312f8dd8c7ed88b89110edec60417ac278266139c1
Opcode Fuzzy Hash: 793432684b173d6de12d0621b3a1804992075fb8a77855f5861eafb5644d1220
Instruction Fuzzy Hash: 91026F716142019FDB14DF24C895E2ABBE5FF48318F18849DF84ACB2A2DB31ED56CB91

Function 0027A54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0027A572
GetAsyncKeyState.USER32(000000A0), ref: 0027A5F3
GetKeyState.USER32(000000A0), ref: 0027A60E
GetAsyncKeyState.USER32(000000A1), ref: 0027A628
GetKeyState.USER32(000000A1), ref: 0027A63D
GetAsyncKeyState.USER32(00000011), ref: 0027A655
GetKeyState.USER32(00000011), ref: 0027A667
GetAsyncKeyState.USER32(00000012), ref: 0027A67F
GetKeyState.USER32(00000012), ref: 0027A691
GetAsyncKeyState.USER32(0000005B), ref: 0027A6A9
GetKeyState.USER32(0000005B), ref: 0027A6BB

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9eae779740dc5378ed4d2b900bcda4004fe96bb31523b7a888135222f0f1bc0
Instruction ID: 6b078e52e09b6ea48ce1d4827862ee17a3141fe70b2620db0321512dea451354
Opcode Fuzzy Hash: c9eae779740dc5378ed4d2b900bcda4004fe96bb31523b7a888135222f0f1bc0
Instruction Fuzzy Hash: 0B41F5609247CB6AFF354F6084043A9BEA4AB91364F48C04AD6CB4A5C1DBB499E88B53

Function 0027D836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0021557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00215558,?,?,00254B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0021559E

Part of subcall function 0027E9C5: GetFileAttributesW.KERNEL32(?,0027D755), ref: 0027E9C6

FindFirstFileW.KERNEL32(?,?), ref: 0027D8E2
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0027D99D
MoveFileW.KERNEL32(?,?), ref: 0027D9B0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027D9CD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027D9F7

Part of subcall function 0027DA5C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0027D9DC,?,?), ref: 0027DA72

FindClose.KERNEL32(00000000,?,?,?), ref: 0027DA13
FindClose.KERNEL32(00000000), ref: 0027DA24

Strings

\*.*, xrefs: 0027D88D, 0027D896, 0027D8AB

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b48712fe7e00b97b5fd4ed68cc0e580ab80b2fb705fed756b9a2dcbe9a8a663e
Instruction ID: 3e628ba32edbcd35d6ec91ecc74a13943b38960af5445741c1eb83343fbc7430
Opcode Fuzzy Hash: b48712fe7e00b97b5fd4ed68cc0e580ab80b2fb705fed756b9a2dcbe9a8a663e
Instruction Fuzzy Hash: 0B614B31C1114DABCF05EFE0DA52AEDB7B5AF25300F6480A5E406B61A2EB316F59CF61

Function 0028F6C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0028F6EE
EmptyClipboard.USER32 ref: 0028F6F4
GlobalAlloc.KERNEL32(00000002,?), ref: 0028F709
CloseClipboard.USER32 ref: 0028F800

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c9a3258f3f16de3c6935dd3bb77c37f504786c1b195d83941d6bacadb5fbbc67
Instruction ID: 1bfa57938597908a79a9b67b786daf733cd5b8df0ee20307fc23638a2181b462
Opcode Fuzzy Hash: c9a3258f3f16de3c6935dd3bb77c37f504786c1b195d83941d6bacadb5fbbc67
Instruction Fuzzy Hash: 6141C0382156129FE710DF14E888F15BBE4EF44318F15C4A8E81A8FAA2CB75EC42CF90

Function 00272093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00271CD9,?,?,00000000), ref: 0027209C
HeapAlloc.KERNEL32(00000000,?,00271CD9,?,?,00000000), ref: 002720A3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271CD9,?,?,00000000), ref: 002720B8
GetCurrentProcess.KERNEL32(?,00000000,?,00271CD9,?,?,00000000), ref: 002720C0
DuplicateHandle.KERNEL32(00000000,?,00271CD9,?,?,00000000), ref: 002720C3
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00271CD9,?,?,00000000), ref: 002720D3
GetCurrentProcess.KERNEL32(00271CD9,00000000,?,00271CD9,?,?,00000000), ref: 002720DB
DuplicateHandle.KERNEL32(00000000,?,00271CD9,?,?,00000000), ref: 002720DE
CreateThread.KERNEL32(00000000,00000000,00272104,00000000,00000000,00000000), ref: 002720F8

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1286cb1404f229b317a455351cb24578a1526681c65fc714776cefb25829287b
Instruction ID: d48781b0702f12125460df9c999193c1e84d7ad56c5fe60a0cb24b80997fc81f
Opcode Fuzzy Hash: 1286cb1404f229b317a455351cb24578a1526681c65fc714776cefb25829287b
Instruction Fuzzy Hash: 4001CDB5240308FFE710AFA5EC4DF6B3BACEB8A711F404411FA09DB5A1DA709800CB20

Function 00283923 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0025552E,?,?,00000000,00000000), ref: 00283933
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0025552E,?,?,00000000,00000000), ref: 0028394A
LoadResource.KERNEL32(?,00000000,?,?,0025552E,?,?,00000000,00000000,?,?,?,?,?,?,002163C2), ref: 0028395A
SizeofResource.KERNEL32(?,00000000,?,?,0025552E,?,?,00000000,00000000,?,?,?,?,?,?,002163C2), ref: 0028396B
LockResource.KERNEL32(.U%,?,?,0025552E,?,?,00000000,00000000,?,?,?,?,?,?,002163C2,?), ref: 0028397A

Strings

SCRIPT, xrefs: 00283940
.U%, xrefs: 00283977

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: .U%$SCRIPT
API String ID: 3051347437-1560596366
Opcode ID: c5fc965d41075eb084728e1959faa617007ffcc7e28184a520ab6efe957ee217
Instruction ID: adcdf4f109ad3b0561bf133fa5ccbf4aea714f8c5b9f1aeab2591275608a624e
Opcode Fuzzy Hash: c5fc965d41075eb084728e1959faa617007ffcc7e28184a520ab6efe957ee217
Instruction Fuzzy Hash: 89117C74211701BFE7219B25EC48F277BB9EBC6B40F148268F84296690DBB1DD10C621

Function 0027F122 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00271F53: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00271F9D
Part of subcall function 00271F53: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00271FCA
Part of subcall function 00271F53: GetLastError.KERNEL32 ref: 00271FDA

ExitWindowsEx.USER32(?,00000000), ref: 0027F15E

Strings

, xrefs: 0027F14C
SeShutdownPrivilege, xrefs: 0027F12E
, xrefs: 0027F188
@, xrefs: 0027F151

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6c83747f40005d0dd0a15c63b999d8362fa003c7439f44cda68985db1c27e0b1
Instruction ID: 72aab5cb829b32ae0b684ae780fa17713c2a43912305e1396315ae388fa97ae4
Opcode Fuzzy Hash: 6c83747f40005d0dd0a15c63b999d8362fa003c7439f44cda68985db1c27e0b1
Instruction Fuzzy Hash: 3701A272638211EBE7646AB8EE8ABBF726C9B09350F558431FD0EE21D1DA705D208690

Function 00291B61 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00291BD3
WSAGetLastError.WSOCK32 ref: 00291BE0
bind.WSOCK32(00000000,?,00000010), ref: 00291C17
WSAGetLastError.WSOCK32 ref: 00291C22
closesocket.WSOCK32(00000000), ref: 00291C51
listen.WSOCK32(00000000,00000005), ref: 00291C60
WSAGetLastError.WSOCK32 ref: 00291C6A
closesocket.WSOCK32(00000000), ref: 00291C99

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 06e4a604e2f53ead9863a5f9f1eba41cd43961cc5b8510296407c4cc273ba42a
Instruction ID: ec0c7a51163a0da0499c32cb0c8e7b892767deee9572cc54da20e4a5da2f6eed
Opcode Fuzzy Hash: 06e4a604e2f53ead9863a5f9f1eba41cd43961cc5b8510296407c4cc273ba42a
Instruction Fuzzy Hash: 6E41A1346001029FDB10DF29D498B69BBE6BF46318F188199E8568F2D2C771EC92CBE1

Function 0024BCF2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0024BD74
_free.LIBCMT ref: 0024BD98
_free.LIBCMT ref: 0024BF1F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002B46D0), ref: 0024BF31
WideCharToMultiByte.KERNEL32(00000000,00000000,002E221C,000000FF,00000000,0000003F,00000000,?,?), ref: 0024BFA9
WideCharToMultiByte.KERNEL32(00000000,00000000,002E2270,000000FF,?,0000003F,00000000,?), ref: 0024BFD6
_free.LIBCMT ref: 0024C0EB

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a7f0a67c4d352fcffe148ba44d3a4df9d39f6f9fce3fcba5d7494d984b0b5642
Instruction ID: 804c8966adf40061ca9adcbdb22121605e077d2f70c25ed0d9dea235f0f303a1
Opcode Fuzzy Hash: a7f0a67c4d352fcffe148ba44d3a4df9d39f6f9fce3fcba5d7494d984b0b5642
Instruction Fuzzy Hash: 4AC15671A20246EBCB2A9F389C45BAA7BBCEF41310F64409AE9859B251D770CD66CF50

Function 0027DB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0021557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00215558,?,?,00254B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0021559E

Part of subcall function 0027E9C5: GetFileAttributesW.KERNEL32(?,0027D755), ref: 0027E9C6

FindFirstFileW.KERNEL32(?,?), ref: 0027DBE0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0027DC30
FindNextFileW.KERNEL32(00000000,00000010), ref: 0027DC41
FindClose.KERNEL32(00000000), ref: 0027DC58
FindClose.KERNEL32(00000000), ref: 0027DC61

Strings

\*.*, xrefs: 0027DBB2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: a80213143fadcaaf5d61fcfd8755b062cd734e9827ecf2452a0c8001c536f4c3
Instruction ID: ea68ef9ec249eabed4c9ec21c0f79efb39d5cfefdb66b7e51b75a9ed20c843bc
Opcode Fuzzy Hash: a80213143fadcaaf5d61fcfd8755b062cd734e9827ecf2452a0c8001c536f4c3
Instruction Fuzzy Hash: 5331A4310283459BC301EF64D8859EFB7F9BEA2304F44495DF4D6921A1DB70DE59CB52

Function 0028A488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0028A4D5
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0028A5E8

Part of subcall function 002841CE: GetInputState.USER32 ref: 00284225
Part of subcall function 002841CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002842C0

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0028A505
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0028A5D2

Strings

*.*, xrefs: 0028A4BA

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c78ee493ddc0a4321467f7435db651177f9a3b3546a8d683a820e0f3129bfb3e
Instruction ID: 3202a20ead0f1a0e92ae16b597cb543d6d08c3419fbe3bb20b17fbc3d34c3dd2
Opcode Fuzzy Hash: c78ee493ddc0a4321467f7435db651177f9a3b3546a8d683a820e0f3129bfb3e
Instruction Fuzzy Hash: A741B275D1120AAFEF10EFA4C849AEEBBB4EF15310F504057E805A21D1DB359EA4CF51

Function 0021225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 002122EE
GetSysColor.USER32(0000000F), ref: 002123C3
SetBkColor.GDI32(?,00000000), ref: 002123D6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 093223564c4ff768f2567eefa7d6ad57f8e453c3a3ebd717e30f08261674b78d
Instruction ID: 94dafab31a09af7d1902b764338d372040ce78cf1eb50d01fa0d535f833c6865
Opcode Fuzzy Hash: 093223564c4ff768f2567eefa7d6ad57f8e453c3a3ebd717e30f08261674b78d
Instruction Fuzzy Hash: 1A8146B1234055FEE628AE3D8C5CEFF25CDDB67341B100109F912C5592CAB98EB9D63A

Function 00292163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002939AB: inet_addr.WSOCK32(?), ref: 002939D7
Part of subcall function 002939AB: _wcslen.LIBCMT ref: 002939F8

socket.WSOCK32(00000002,00000002,00000011), ref: 002921BA
WSAGetLastError.WSOCK32 ref: 002921E1
bind.WSOCK32(00000000,?,00000010), ref: 00292238
WSAGetLastError.WSOCK32 ref: 00292243
closesocket.WSOCK32(00000000), ref: 00292272

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1bac10aab1d12929e365ac44174421f509944249b2b67c82c51fbc11e46acc88
Instruction ID: 8f207b322d764ca9a171fe198c8fb408907658cef0efabffaa1134173e2a18ed
Opcode Fuzzy Hash: 1bac10aab1d12929e365ac44174421f509944249b2b67c82c51fbc11e46acc88
Instruction Fuzzy Hash: 6351D475A10210AFDB10AF64D886F6A77E5AF55714F048088F916AF3D3CB70AD518BE1

Function 002A25A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A261F
IsWindowEnabled.USER32 ref: 002A262D
GetForegroundWindow.USER32(?,?,00000001,?), ref: 002A263A
IsIconic.USER32 ref: 002A2648
IsZoomed.USER32 ref: 002A2656

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b7589f3a5dbe2c7b302ffae0ff195fda43e8a23dea508261ac9747dfe6fadb6e
Instruction ID: 45fd348a2be782652ddde14de0c6181d532a003473237d6dfd15ab4e043c66b0
Opcode Fuzzy Hash: b7589f3a5dbe2c7b302ffae0ff195fda43e8a23dea508261ac9747dfe6fadb6e
Instruction Fuzzy Hash: AB213231711241CFE7148F2AD858B5A7BE9FF96720F488068E84ACB211DF31EC56CB90

Function 0029AFDB Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029B00B
Process32FirstW.KERNEL32(00000000,?), ref: 0029B019

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Process32NextW.KERNEL32(00000000,?), ref: 0029B0FB
CloseHandle.KERNEL32(00000000), ref: 0029B10A

Part of subcall function 0022E2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00254D4D,?), ref: 0022E30F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6206e77ebcc4c02a2f401db04843ef05621dd4c1b8d6cfda3161b1739c9247fa
Instruction ID: 93d33ebe6cb65b915bcea6ea3473a75654d84399d7e0913bf71a245a4ec8b413
Opcode Fuzzy Hash: 6206e77ebcc4c02a2f401db04843ef05621dd4c1b8d6cfda3161b1739c9247fa
Instruction Fuzzy Hash: BF5147B1518300AFC710EF24D886AABBBE8AF99754F40491DF98997251EB70D914CF92

Function 0028D7A1 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0028D7E6
GetLastError.KERNEL32(?,00000000), ref: 0028D847
SetEvent.KERNEL32(?,?,00000000), ref: 0028D85B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: baa5527f7117e2f30d8a4855ebfd5dca81cf1c654ba657197d6144f9cecf03d1
Instruction ID: 4b7c56fe2712730b63722e57f703458977bef2b43b459f3b96dc511f7cedf249
Opcode Fuzzy Hash: baa5527f7117e2f30d8a4855ebfd5dca81cf1c654ba657197d6144f9cecf03d1
Instruction Fuzzy Hash: DA21C4795113059FEB20AF65D988B9BB7F8EF40314F10442AE542925C2D774EA19CB50

Function 0027E387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00254686), ref: 0027E397
GetFileAttributesW.KERNEL32(?), ref: 0027E3A6
FindFirstFileW.KERNEL32(?,?), ref: 0027E3B7
FindClose.KERNEL32(00000000), ref: 0027E3C3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 1970bd40e914e5e67bba7cff5ce04121e453f576577cf7b33d7a85ad0efc1016
Instruction ID: 860fc77f5aa300d506c8a3ed8e616dbb33e476eee34c007c4782a80b2127dbf8
Opcode Fuzzy Hash: 1970bd40e914e5e67bba7cff5ce04121e453f576577cf7b33d7a85ad0efc1016
Instruction Fuzzy Hash: 93F0A0304219105786116B3CAC0D8BA77AC9E46335B508791F83AC24F4DBB09DB586A5

Function 0026E59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0026E59E

Strings

%.3d, xrefs: 0026E5A9
X64, xrefs: 0026E626

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 154e0f3c1127cb3b1b93ff59557c5b6c0fca20c5b1bcf88fb737240bacd74886
Instruction ID: cce5039adbb955d66b18903a301fcd3d9b5285aa80eac00c6e2005ead5a34134
Opcode Fuzzy Hash: 154e0f3c1127cb3b1b93ff59557c5b6c0fca20c5b1bcf88fb737240bacd74886
Instruction Fuzzy Hash: C7D012A5C34018EACFD0AAD0D948CBD737CA718700F514462F80791000EAB495B8EB22

Function 002429B2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00242AAA
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00242AB4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00242AC1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af9dd1208174080da7feb4de241c59bfde7ea5f1e59ee19f50f5040d8337ac08
Instruction ID: 7705e7eb1c077ee235e68f2528ce15f982f40b079b7da365441e3c843f20c3fb
Opcode Fuzzy Hash: af9dd1208174080da7feb4de241c59bfde7ea5f1e59ee19f50f5040d8337ac08
Instruction Fuzzy Hash: 0931C27591122C9BCB21DF69D9897D8BBB8EF08310F5041DAE80CA6251EB309F958F55

Function 00271EF3 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00271F1C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00271F31
FreeSid.ADVAPI32(?), ref: 00271F41

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 080c2228eb90c98f987fa3705a92e3fcbf81d2c0cf4a878f39b1af9204978d2b
Instruction ID: 3cdb987900c987d0f6d17c1ce74dd2fbedb44460a995f3bd7fac4bb512369edb
Opcode Fuzzy Hash: 080c2228eb90c98f987fa3705a92e3fcbf81d2c0cf4a878f39b1af9204978d2b
Instruction Fuzzy Hash: D5F0177595030DBBDF00DFE4DC89AAEBBBCFB04700F5084A5E902E2181E774AA448B10

Function 0026E5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0026E60A

Strings

X64, xrefs: 0026E626

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 592ec901c936cf5cb83379f7775b592a3e77d32d85a9613af27107f97569635c
Instruction ID: 905f43ab15e305cfc55776cb012b521b9fab920b50766838bf65a371bce5882d
Opcode Fuzzy Hash: 592ec901c936cf5cb83379f7775b592a3e77d32d85a9613af27107f97569635c
Instruction Fuzzy Hash: EAD0C9B482112DEBCFA0CB90ECCCDDD737CBB14304F100151F106A2000DB7095489B10

Function 0028410F Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002951EE,?,?,00000035,?), ref: 0028413E
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002951EE,?,?,00000035,?), ref: 0028414E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6905b8a67fb648680d4667313bb1a6efde874f995e3244cfa0ccdd25b119791d
Instruction ID: 15ece84dd4b50583e204702099822d9b9ab615a57ff4b1dafcc77aedb36c2fbf
Opcode Fuzzy Hash: 6905b8a67fb648680d4667313bb1a6efde874f995e3244cfa0ccdd25b119791d
Instruction Fuzzy Hash: 87F0E5382112266BEB2077659C4DFEB766EEFC5762F000165B909D31C1DA709944CBB1

Function 0027BB02 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0027BB39
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0027BB4C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a310d895ba34812c20a87dba733154468fa4ab98076d759dec7d89fab62d8063
Instruction ID: e9f0e4dece0f0be17a5215552c642bcd17cc68575d9b99553bb11173e9751e39
Opcode Fuzzy Hash: a310d895ba34812c20a87dba733154468fa4ab98076d759dec7d89fab62d8063
Instruction Fuzzy Hash: B2F06D7081024EABDB058FA0C80ABBEBFB0FF08309F00800AFD55A6191C3798611DF94

Function 0028F3FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0028F41A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 9ce11257d05ba49fa336035b7872a18a7aa21ce077f932f3b52b47401a04084e
Instruction ID: 0ecf41ad06d89fcfd3aa0c766c2f4969750d1958d0e37b3f91b8a687d1334d91
Opcode Fuzzy Hash: 9ce11257d05ba49fa336035b7872a18a7aa21ce077f932f3b52b47401a04084e
Instruction Fuzzy Hash: DFE048352101055FD750AF69E904997B7DCAF74760F108426FD4AD7351DAB0E891CFA1

Function 0027EBB3 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0027EBDC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: eea022790e7665953713e458ae3af7f649ce716869a2a5df1813612883bb812e
Instruction ID: bf33c7138efaac6dec96bf9aaff753069ab8eb32a2644026a9c9df33e8915fb1
Opcode Fuzzy Hash: eea022790e7665953713e458ae3af7f649ce716869a2a5df1813612883bb812e
Instruction Fuzzy Hash: 83D02BB107010138EC1C4E3D4C1FF3A0E04F309318F43A6D8B20BC49A4E4F09820A031

Function 00230D65 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D71,0023077E), ref: 00230D6A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3c42b7e94f9b7291495dcc06d38a861a9a2cec158affa6c84e76e3b787ff058d
Instruction ID: 1aa088fd8475c9657907cbb9c6068e37fb75526bfb819fc93aeec5806b2cf7c8
Opcode Fuzzy Hash: 3c42b7e94f9b7291495dcc06d38a861a9a2cec158affa6c84e76e3b787ff058d
Instruction Fuzzy Hash:

Function 0029343B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0029348D
DeleteObject.GDI32(00000000), ref: 002934A0
DestroyWindow.USER32 ref: 002934AF
GetDesktopWindow.USER32 ref: 002934CA
GetWindowRect.USER32(00000000), ref: 002934D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00293600
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0029360E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00293655
GetClientRect.USER32(00000000,?), ref: 00293661
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0029369D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002936BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002936D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002936DD
GlobalLock.KERNEL32(00000000), ref: 002936E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002936F5
GlobalUnlock.KERNEL32(00000000), ref: 002936FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00293705
GlobalFree.KERNEL32(00000000), ref: 00293710
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00293722
OleLoadPicture.OLEAUT32(?,00000000,00000000,002B0C04,00000000), ref: 00293738
GlobalFree.KERNEL32(00000000), ref: 00293748
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0029376E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0029378D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002937AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029399C

Strings

static, xrefs: 00293697, 002937EE
DISPLAY, xrefs: 002937FF
AutoIt v3, xrefs: 0029364F
, xrefs: 00293922

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5b87505707a72a970b215af9b0d7a5ec10ca4ddf72de2838fb7edbbffd15f703
Instruction ID: fd5664937c632ede1a27e184d522fe6eb80face8de6b23f9bcc50e4dee9d0465
Opcode Fuzzy Hash: 5b87505707a72a970b215af9b0d7a5ec10ca4ddf72de2838fb7edbbffd15f703
Instruction Fuzzy Hash: 4B027875A10205AFDB14DF64DC8DEAE7BB9FB49310F148158F916AB2A0CB74AE11CF60

Function 002A7A34 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002A7A8E
GetSysColorBrush.USER32(0000000F), ref: 002A7ABF
GetSysColor.USER32(0000000F), ref: 002A7ACB
SetBkColor.GDI32(?,000000FF), ref: 002A7AE5
SelectObject.GDI32(?,?), ref: 002A7AF4
InflateRect.USER32(?,000000FF,000000FF), ref: 002A7B1F
GetSysColor.USER32(00000010), ref: 002A7B27
CreateSolidBrush.GDI32(00000000), ref: 002A7B2E
FrameRect.USER32(?,?,00000000), ref: 002A7B3D
DeleteObject.GDI32(00000000), ref: 002A7B44
InflateRect.USER32(?,000000FE,000000FE), ref: 002A7B8F
FillRect.USER32(?,?,?), ref: 002A7BC1
GetWindowLongW.USER32(?,000000F0), ref: 002A7BE3

Part of subcall function 002A7D47: GetSysColor.USER32(00000012), ref: 002A7D80
Part of subcall function 002A7D47: SetTextColor.GDI32(?,002A7A54), ref: 002A7D84
Part of subcall function 002A7D47: GetSysColorBrush.USER32(0000000F), ref: 002A7D9A
Part of subcall function 002A7D47: GetSysColor.USER32(0000000F), ref: 002A7DA5
Part of subcall function 002A7D47: GetSysColor.USER32(00000011), ref: 002A7DC2
Part of subcall function 002A7D47: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7DD0
Part of subcall function 002A7D47: SelectObject.GDI32(?,00000000), ref: 002A7DE1
Part of subcall function 002A7D47: SetBkColor.GDI32(?,?), ref: 002A7DEA
Part of subcall function 002A7D47: SelectObject.GDI32(?,?), ref: 002A7DF7
Part of subcall function 002A7D47: InflateRect.USER32(?,000000FF,000000FF), ref: 002A7E16
Part of subcall function 002A7D47: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A7E2D
Part of subcall function 002A7D47: GetWindowLongW.USER32(?,000000F0), ref: 002A7E3A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3b466355812876d6fc58f6ffb67de705365022af4afa5e16f8e730da6d796cce
Instruction ID: 6856044118514269d2c598ad7f2fea73241d2d80366b61e86119ba29aef47fd7
Opcode Fuzzy Hash: 3b466355812876d6fc58f6ffb67de705365022af4afa5e16f8e730da6d796cce
Instruction Fuzzy Hash: CBA19F71418302BFD7009F64EC48A6BBBA9FF4A325F100A19F666961E0DB71D9548B91

Function 00211625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002116B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00252B26
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00252B5F
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00252FA4

Part of subcall function 00211802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00211488,?,00000000,?,?,?,?,0021145A,00000000,?), ref: 00211865

SendMessageW.USER32(?,00001053), ref: 00252FE0
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00252FF7
ImageList_Destroy.COMCTL32(00000000,?), ref: 0025300D
ImageList_Destroy.COMCTL32(00000000,?), ref: 00253018

Strings

0, xrefs: 00252E30

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b4431568435de298aba17d3e3e81d341166b140e681eae5866f481070bb12ad5
Instruction ID: 78a836bd0a2c604ff7a5c1e7b7a821c56c0104f301292207b6380572baf2479f
Opcode Fuzzy Hash: b4431568435de298aba17d3e3e81d341166b140e681eae5866f481070bb12ad5
Instruction Fuzzy Hash: 8812E330620242DFC725CF14D888BA9B7F5FB56302F184529E9468B6A1CB31ECBACF54

Function 002A7D47 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002A7D80
SetTextColor.GDI32(?,002A7A54), ref: 002A7D84
GetSysColorBrush.USER32(0000000F), ref: 002A7D9A
GetSysColor.USER32(0000000F), ref: 002A7DA5
CreateSolidBrush.GDI32(?), ref: 002A7DAA
GetSysColor.USER32(00000011), ref: 002A7DC2
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002A7DD0
SelectObject.GDI32(?,00000000), ref: 002A7DE1
SetBkColor.GDI32(?,?), ref: 002A7DEA
SelectObject.GDI32(?,?), ref: 002A7DF7
InflateRect.USER32(?,000000FF,000000FF), ref: 002A7E16
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002A7E2D
GetWindowLongW.USER32(?,000000F0), ref: 002A7E3A
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002A7E89
GetWindowTextW.USER32(?,00000000,00000001), ref: 002A7EB3
InflateRect.USER32(?,000000FD,000000FD), ref: 002A7ED1
DrawFocusRect.USER32(?,?), ref: 002A7EDC
GetSysColor.USER32(00000011), ref: 002A7EED
SetTextColor.GDI32(?,00000000), ref: 002A7EF5
DrawTextW.USER32(?,Tz*,000000FF,?,00000000), ref: 002A7F07
SelectObject.GDI32(?,?), ref: 002A7F1E
DeleteObject.GDI32(?), ref: 002A7F29
SelectObject.GDI32(?,?), ref: 002A7F2F
DeleteObject.GDI32(?), ref: 002A7F34
SetTextColor.GDI32(?,?), ref: 002A7F3A
SetBkColor.GDI32(?,?), ref: 002A7F44

Strings

Tz*, xrefs: 002A7EFC, 002A7F05, 002A7F0D

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: Tz*
API String ID: 1996641542-2594113492
Opcode ID: 7e59b081abdcce14a7751afc9282c449a0558d860f8bbda7998f8d50cd0b0c13
Instruction ID: 6e9d9642b96d2c6ce1b7b598957c7066fec3a0ca8d328b59fef52c7f6c5d6d88
Opcode Fuzzy Hash: 7e59b081abdcce14a7751afc9282c449a0558d860f8bbda7998f8d50cd0b0c13
Instruction Fuzzy Hash: AB613F71D10219AFDB119FA4EC49EEEBBB9EF0A320F114115F916AB2A0DB719D50CF90

Function 0029306E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0029309B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002931C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00293206
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00293216
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0029325D
GetClientRect.USER32(00000000,?), ref: 00293269
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 002932B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002932C1
GetStockObject.GDI32(00000011), ref: 002932D1
SelectObject.GDI32(00000000,00000000), ref: 002932D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 002932E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002932EE
DeleteDC.GDI32(00000000), ref: 002932F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00293323
SendMessageW.USER32(00000030,00000000,00000001), ref: 0029333A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0029337A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0029338E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0029339F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 002933D4
GetStockObject.GDI32(00000011), ref: 002933DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002933EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 002933F4

Strings

static, xrefs: 002932AC, 002933CE
DISPLAY, xrefs: 002932B7
msctls_progress32, xrefs: 00293370
AutoIt v3, xrefs: 00293255

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e30b805ef9e5e989d5a69ca7c77c738886179fb9a777f63f2eabe8e153caa2be
Instruction ID: de3c3b46595f2d287b02dd838b394e935b679faf75ba0523da8f25493e680b8a
Opcode Fuzzy Hash: e30b805ef9e5e989d5a69ca7c77c738886179fb9a777f63f2eabe8e153caa2be
Instruction Fuzzy Hash: 59B15CB1A50205AFEB14DF68DC89FAEBBB9EB05710F004155FA15EB2A0DB74AD50CF90

Function 00285439 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00285447
GetDriveTypeW.KERNEL32(?,002ADC30,?,\\.\,002ADCD0), ref: 00285524
SetErrorMode.KERNEL32(00000000,002ADC30,?,\\.\,002ADCD0), ref: 00285690

Strings

SSD, xrefs: 002855A4
ATAPI, xrefs: 002855EB
\\.\, xrefs: 00285499
1394, xrefs: 002855F9
PhysicalDrive, xrefs: 002854D0
Removable, xrefs: 0028556A, 0028556F
SAS, xrefs: 00285623
SSA, xrefs: 00285600
Fibre, xrefs: 00285607
SCSI, xrefs: 002855E4
iSCSI, xrefs: 0028561C
Virtual, xrefs: 0028563F
RAID, xrefs: 00285615
RAMDisk, xrefs: 0028554E
FileBackedVirtual, xrefs: 00285646
Unknown, xrefs: 00285547, 002855DD
CDROM, xrefs: 00285555
Network, xrefs: 0028555C
USB, xrefs: 0028560E
SATA, xrefs: 0028562A
Fixed, xrefs: 00285563
ATA, xrefs: 002855F2
MMC, xrefs: 00285638

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3852764b3c18f8e7b59d2857a5e4308f72b185156eb5ca93ee30eb45aa440270
Instruction ID: 577edf60aaccd16f479ce3c6d5c7b3dc2897e76354cd07aa86aa141191ab9f4e
Opcode Fuzzy Hash: 3852764b3c18f8e7b59d2857a5e4308f72b185156eb5ca93ee30eb45aa440270
Instruction Fuzzy Hash: F061E1386359269BCB04FF24CA418BCBBB6AF15300B68C056E406AB3E5E7B4DD71CB41

Function 002A1952 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A1A87
GetDesktopWindow.USER32 ref: 002A1A9C
GetWindowRect.USER32(00000000), ref: 002A1AA3
GetWindowLongW.USER32(?,000000F0), ref: 002A1AF8
DestroyWindow.USER32(?), ref: 002A1B18
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A1B4C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A1B6A
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A1B7C
SendMessageW.USER32(00000000,00000421,?,?), ref: 002A1B91
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002A1BA4
IsWindowVisible.USER32(00000000), ref: 002A1C00
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002A1C1B
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002A1C2F
GetWindowRect.USER32(00000000,?), ref: 002A1C47
MonitorFromPoint.USER32(?,?,00000002), ref: 002A1C6D
GetMonitorInfoW.USER32(00000000,?), ref: 002A1C87
CopyRect.USER32(?,?), ref: 002A1C9E
SendMessageW.USER32(00000000,00000412,00000000), ref: 002A1D09

Strings

tooltips_class32, xrefs: 002A1B45
(, xrefs: 002A1C7A
0, xrefs: 002A1A32

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 811e20472b2a745f0c4a1ffa9cdb8a9d7261c4873d900599d8d328cbf7f664d4
Instruction ID: 7acd22483ca17a0292abfe733211a7c33e3612e71a889f5f24fc2320d3a78ebe
Opcode Fuzzy Hash: 811e20472b2a745f0c4a1ffa9cdb8a9d7261c4873d900599d8d328cbf7f664d4
Instruction Fuzzy Hash: E4B19E71614301AFD704DF64D884B6ABBE5FF85360F00891DF5999B2A1DB30E864CF92

Function 002A0BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A0C44
_wcslen.LIBCMT ref: 002A0C7E
_wcslen.LIBCMT ref: 002A0CE8
_wcslen.LIBCMT ref: 002A0D50
_wcslen.LIBCMT ref: 002A0DD4
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002A0E24
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A0E63

Part of subcall function 0022FD60: _wcslen.LIBCMT ref: 0022FD6B

Part of subcall function 00272ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00272AE8
Part of subcall function 00272ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00272B1A

Strings

VIEWCHANGE, xrefs: 002A0FD4
GETITEMCOUNT, xrefs: 002A0C75, 002A0C96
GETSELECTEDCOUNT, xrefs: 002A0DCF, 002A0DEA
FINDITEM, xrefs: 002A0F86
SELECTALL, xrefs: 002A0E74
SELECTINVERT, xrefs: 002A0EDD
GETSUBITEMCOUNT, xrefs: 002A0CE3, 002A0CFE
DESELECT, xrefs: 002A0EFB
SELECTCLEAR, xrefs: 002A0E8C
GETSELECTED, xrefs: 002A0F40
ISSELECTED, xrefs: 002A0E3C
SELECT, xrefs: 002A0EA7
GETTEXT, xrefs: 002A0D4B, 002A0D66

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: db746ea4d45d91041a75afeaf2c695913a253b7a91dd09ed614877e0af9dbc88
Instruction ID: 83fa8dd7a2a50af4282af54fdc7acb60e09e74143c0504ff78d435624119e4a3
Opcode Fuzzy Hash: db746ea4d45d91041a75afeaf2c695913a253b7a91dd09ed614877e0af9dbc88
Instruction Fuzzy Hash: A2E1AE312382418FC714DF24C58086AB3E6FF9A314B14896EF8969B7A1DF30ED65CB52

Function 002124C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0021259A
GetSystemMetrics.USER32(00000007), ref: 002125A2
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002125CD
GetSystemMetrics.USER32(00000008), ref: 002125D5
GetSystemMetrics.USER32(00000004), ref: 002125FA
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00212617
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00212627
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0021265A
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0021266E
GetClientRect.USER32(00000000,000000FF), ref: 0021268C
GetStockObject.GDI32(00000011), ref: 002126A8
SendMessageW.USER32(00000000,00000030,00000000), ref: 002126B3

Part of subcall function 002119CD: GetCursorPos.USER32(?), ref: 002119E1
Part of subcall function 002119CD: ScreenToClient.USER32(00000000,?), ref: 002119FE
Part of subcall function 002119CD: GetAsyncKeyState.USER32(00000001), ref: 00211A23
Part of subcall function 002119CD: GetAsyncKeyState.USER32(00000002), ref: 00211A3D

SetTimer.USER32(00000000,00000000,00000028,0021199C), ref: 002126DA

Strings

AutoIt v3 GUI, xrefs: 00212652

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b5486623882c62d858473e6aadd42da50d75f115ff032eec7313e4cec18e2a9a
Instruction ID: 989254d11b70284ad74d62ee5c88ef7e85b769a2b9630b739a758cc30527d8c6
Opcode Fuzzy Hash: b5486623882c62d858473e6aadd42da50d75f115ff032eec7313e4cec18e2a9a
Instruction Fuzzy Hash: 26B19C71A1020ADFDB14DFA8DC89BEE7BB5FB49310F104119FA16AB290DB70A964CF54

Function 0027161B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00271989: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002719A4
Part of subcall function 00271989: GetLastError.KERNEL32(?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719B0
Part of subcall function 00271989: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719BF
Part of subcall function 00271989: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719C6
Part of subcall function 00271989: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002719DD

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00271685
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002716B9
GetLengthSid.ADVAPI32(?), ref: 002716D0
GetAce.ADVAPI32(?,00000000,?), ref: 0027170A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00271726
GetLengthSid.ADVAPI32(?), ref: 0027173D
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00271745
HeapAlloc.KERNEL32(00000000), ref: 0027174C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0027176D
CopySid.ADVAPI32(00000000), ref: 00271774
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002717A3
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002717C5
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002717D7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002717FE
HeapFree.KERNEL32(00000000), ref: 00271805
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0027180E
HeapFree.KERNEL32(00000000), ref: 00271815
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0027181E
HeapFree.KERNEL32(00000000), ref: 00271825
GetProcessHeap.KERNEL32(00000000,?), ref: 00271831
HeapFree.KERNEL32(00000000), ref: 00271838

Part of subcall function 00271A23: GetProcessHeap.KERNEL32(00000008,00271441,?,00000000,?,00271441,?), ref: 00271A31
Part of subcall function 00271A23: HeapAlloc.KERNEL32(00000000,?,00000000,?,00271441,?), ref: 00271A38
Part of subcall function 00271A23: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00271441,?), ref: 00271A47

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9586da51cff9524491a1a7e5ea4afdffedf2766492b027de50f38f531e73ff24
Instruction ID: bcfb0f67a99f2e5ac9de4360cb93dd0af03a18b2317f6d10ba3aa338f0f20992
Opcode Fuzzy Hash: 9586da51cff9524491a1a7e5ea4afdffedf2766492b027de50f38f531e73ff24
Instruction Fuzzy Hash: D97151B291020AABDF10DFA9DC49FEEBBB8FF05710F148115E919E7190DB719925CB60

Function 002A8C9B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A8CB9
_wcslen.LIBCMT ref: 002A8CCD
_wcslen.LIBCMT ref: 002A8CF0
_wcslen.LIBCMT ref: 002A8D13
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002A8D51
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002A6551), ref: 002A8DAD
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002A8DE6
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002A8E29
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002A8E60
FreeLibrary.KERNEL32(?), ref: 002A8E6C
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002A8E7C
DestroyIcon.USER32(?,?,?,?,?,002A6551), ref: 002A8E8B
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002A8EA8
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002A8EB4

Strings

.exe, xrefs: 002A8CE7
Qe*, xrefs: 002A8CA4, 002A8EBA, 002A8D64, 002A8E3B, 002A8DC2
.icl, xrefs: 002A8CC7
.dll, xrefs: 002A8D0A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$Qe*
API String ID: 799131459-2596870142
Opcode ID: 78643f5d63d6bbc506b118ababbd1b6262ec3d9ab5756db1430d22873504d982
Instruction ID: 60a08b1ec5a9bf976f2af8e33f0a04c3f95c5f5dc731c57b3659b25af9d0309c
Opcode Fuzzy Hash: 78643f5d63d6bbc506b118ababbd1b6262ec3d9ab5756db1430d22873504d982
Instruction Fuzzy Hash: 2F61FEB1A20615FBEB14DF64CC45BBE77A8BF1A710F104606F915D61D0DFB4AAA0CBA0

Function 0029CD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029CE1C
RegCreateKeyExW.ADVAPI32(?,?,00000000,002ADCD0,00000000,?,00000000,?,?), ref: 0029CEA3
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0029CF03
_wcslen.LIBCMT ref: 0029CF53
_wcslen.LIBCMT ref: 0029CFCE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0029D011
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0029D120
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0029D1AC
RegCloseKey.ADVAPI32(?), ref: 0029D1E0
RegCloseKey.ADVAPI32(00000000), ref: 0029D1ED
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0029D2BF

Strings

REG_MULTI_SZ, xrefs: 0029D054
REG_SZ, xrefs: 0029CFA3
REG_BINARY, xrefs: 0029D272
REG_QWORD, xrefs: 0029D222
REG_DWORD, xrefs: 0029D163
REG_EXPAND_SZ, xrefs: 0029CF2C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d4d56cb406c1d078217d709de40348f4697e648e1e1fbd3d34c1864a8176ecb9
Instruction ID: e889ce071a765645b1428e1e914c1deb936d5c7200a4e1ccff4bc44ac866d808
Opcode Fuzzy Hash: d4d56cb406c1d078217d709de40348f4697e648e1e1fbd3d34c1864a8176ecb9
Instruction Fuzzy Hash: 9E1258752242019FDB14DF24C881A6ABBE5FF88754F14849DF98A9B3A2CB31ED51CF81

Function 002A127D Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A1325
_wcslen.LIBCMT ref: 002A1360
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A13B3
_wcslen.LIBCMT ref: 002A13E9
_wcslen.LIBCMT ref: 002A1465
_wcslen.LIBCMT ref: 002A14E0

Part of subcall function 0022FD60: _wcslen.LIBCMT ref: 0022FD6B

Part of subcall function 00273478: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0027348A

Strings

ISCHECKED, xrefs: 002A1640
GETITEMCOUNT, xrefs: 002A157D
GETTOTALCOUNT, xrefs: 002A1351, 002A1376
EXISTS, xrefs: 002A14DB, 002A14F6
GETSELECTED, xrefs: 002A15AD
UNCHECK, xrefs: 002A169D
SELECT, xrefs: 002A1670
CHECK, xrefs: 002A13E4, 002A13FF
EXPAND, xrefs: 002A1557
GETTEXT, xrefs: 002A15F6
COLLAPSE, xrefs: 002A1460, 002A147B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c6178c44c4285aabe81e9a739259eb91081daa377149c5020dc4130e548e1ec3
Instruction ID: 35739a5ceecc75e7e976ad0dd818781be668d37a9795d844e6295aab3ea55216
Opcode Fuzzy Hash: c6178c44c4285aabe81e9a739259eb91081daa377149c5020dc4130e548e1ec3
Instruction Fuzzy Hash: 40E1B1352243428FCB14DF24C44086AB7E6FF9A324F54499DF8969B7A1DB30ED65CB81

Function 0029D2F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029C00D,?,?), ref: 0029D314
_wcslen.LIBCMT ref: 0029D350
_wcslen.LIBCMT ref: 0029D3C7
_wcslen.LIBCMT ref: 0029D3FD
_wcslen.LIBCMT ref: 0029D458
_wcslen.LIBCMT ref: 0029D48E
_wcslen.LIBCMT ref: 0029D4DE

Strings

HKEY_CURRENT_CONFIG, xrefs: 0029D4D8, 0029D4DD
HKEY_LOCAL_MACHINE, xrefs: 0029D3C1, 0029D3C6
HKCR, xrefs: 0029D488, 0029D48D
HKU, xrefs: 0029D54F
HKEY_USERS, xrefs: 0029D53E
HKCC, xrefs: 0029D50B
HKEY_CURRENT_USER, xrefs: 0029D51C
HKLM, xrefs: 0029D3F7, 0029D3FC
HKEY_CLASSES_ROOT, xrefs: 0029D452, 0029D457
HKCU, xrefs: 0029D52D

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f56ec13d6ad3dc7a5b66e3751666c696a0efaa7f7449ffb811f3bb41e90d0ad9
Instruction ID: 81c0b0623e9b84d8c125613f917a113bdecbc5b9d5a604cbcc9bcc9771e409e7
Opcode Fuzzy Hash: f56ec13d6ad3dc7a5b66e3751666c696a0efaa7f7449ffb811f3bb41e90d0ad9
Instruction Fuzzy Hash: E571F332A301278BCF209E7CD9406FE33A5AB71754F610569FC559B294EA34ED70EBA0

Function 00213E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 002546DD
#include-once, xrefs: 00213ECC
#include, xrefs: 00213EE4
#ce, xrefs: 00213F8A
', xrefs: 002545CD
#comments-start, xrefs: 00213EFC, 00213F4E
#cs, xrefs: 00213F10, 00213F62
Bad directive syntax error, xrefs: 002545FE
#pragma compile, xrefs: 00213E70
#comments-end, xrefs: 00213F76
Unterminated group of comments, xrefs: 002546F0
#notrayicon, xrefs: 00213E84
", xrefs: 002545B7
#OnAutoItStartRegister, xrefs: 00213EB4
#requireadmin, xrefs: 00213E9C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 10837b78e6e32694535cd905987aff561c4b7751c7366b39b536743fbe7fcbba
Instruction ID: 1e7f03be841de3ae5271b17e043e6d9e56bdadc84ed950a9615201435ba17d5b
Opcode Fuzzy Hash: 10837b78e6e32694535cd905987aff561c4b7751c7366b39b536743fbe7fcbba
Instruction Fuzzy Hash: CF81EA71660206BBDB11EF60DC42FEF77A9AF26710F004010FD09AA186EB70DAB5CB95

Function 002847D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00284852
_wcslen.LIBCMT ref: 0028485D
_wcslen.LIBCMT ref: 002848B4
_wcslen.LIBCMT ref: 002848F2
GetDriveTypeW.KERNEL32(?), ref: 00284930
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00284978
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002849B3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002849E1

Strings

close cd wait, xrefs: 002849CC
type cdaudio alias cd wait, xrefs: 0028495B
closed, xrefs: 00284862, 00284887, 002848A0, 002848D8, 002848F1
wait, xrefs: 0028499E
close, xrefs: 00284858, 00284872
open, xrefs: 002848AE, 002848B3
open , xrefs: 0028493F
set cd door , xrefs: 00284982

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2882c4359c24ab53232cb658e20d476fcd29678a3cbdc30081d04d312650b332
Instruction ID: e17ecf9b902c2a788b58b4053a45bc7126845b6b4132125b12efdcdf53f09ef5
Opcode Fuzzy Hash: 2882c4359c24ab53232cb658e20d476fcd29678a3cbdc30081d04d312650b332
Instruction Fuzzy Hash: 2071E2365243139FC710FF24C8908AAB7E4EFA5754F10492EF89697291EB34DDA5CB81

Function 002762AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 002762BD
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002762CF
SetWindowTextW.USER32(?,?), ref: 002762E6
GetDlgItem.USER32(?,000003EA), ref: 002762FB
SetWindowTextW.USER32(00000000,?), ref: 00276301
GetDlgItem.USER32(?,000003E9), ref: 00276311
SetWindowTextW.USER32(00000000,?), ref: 00276317
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00276338
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00276352
GetWindowRect.USER32(?,?), ref: 0027635B
_wcslen.LIBCMT ref: 002763C2
SetWindowTextW.USER32(?,?), ref: 002763FE
GetDesktopWindow.USER32 ref: 00276404
GetWindowRect.USER32(00000000), ref: 0027640B
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00276462
GetClientRect.USER32(?,?), ref: 0027646F
PostMessageW.USER32(?,00000005,00000000,?), ref: 00276494
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002764BE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b710c0dff8c2f7cf4c38dd9c2a92fde08a45510e7b5614ee721cd866435b6f58
Instruction ID: c28fe2054059ed29e791e534f0ce10e60bf7d8618ff62ded2831e800c48222b9
Opcode Fuzzy Hash: b710c0dff8c2f7cf4c38dd9c2a92fde08a45510e7b5614ee721cd866435b6f58
Instruction Fuzzy Hash: 1971A031900B06EFDB20DFA8DE49BAEBBF5FF48B04F104518E54AA25A0DB75E954CB50

Function 0029076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00290784
LoadCursorW.USER32(00000000,00007F8A), ref: 0029078F
LoadCursorW.USER32(00000000,00007F00), ref: 0029079A
LoadCursorW.USER32(00000000,00007F03), ref: 002907A5
LoadCursorW.USER32(00000000,00007F8B), ref: 002907B0
LoadCursorW.USER32(00000000,00007F01), ref: 002907BB
LoadCursorW.USER32(00000000,00007F81), ref: 002907C6
LoadCursorW.USER32(00000000,00007F88), ref: 002907D1
LoadCursorW.USER32(00000000,00007F80), ref: 002907DC
LoadCursorW.USER32(00000000,00007F86), ref: 002907E7
LoadCursorW.USER32(00000000,00007F83), ref: 002907F2
LoadCursorW.USER32(00000000,00007F85), ref: 002907FD
LoadCursorW.USER32(00000000,00007F82), ref: 00290808
LoadCursorW.USER32(00000000,00007F84), ref: 00290813
LoadCursorW.USER32(00000000,00007F04), ref: 0029081E
LoadCursorW.USER32(00000000,00007F02), ref: 00290829
GetCursorInfo.USER32(?), ref: 00290839
GetLastError.KERNEL32 ref: 0029087B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0a7b164a97a0a2a1242f6dfddc089c471a99406bffa161d0e0a8d8cde407a025
Instruction ID: a8e95e786be5544dbda9fa70f77276a0e1484e040b5d8d7c8c763a817eb2b8c2
Opcode Fuzzy Hash: 0a7b164a97a0a2a1242f6dfddc089c471a99406bffa161d0e0a8d8cde407a025
Instruction Fuzzy Hash: 6C415370E4831A6FDB109FBA8C8985EBFE8FF04754B50452AA11DE7291DA78E901CF91

Function 00273986 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00273A1C
_wcslen.LIBCMT ref: 00273A87

Strings

CLASS, xrefs: 00273A17, 00273A34
CLASSNN, xrefs: 00273A82, 00273A93
TEXT, xrefs: 00273D0B
k-, xrefs: 00273C29
INSTANCE, xrefs: 00273CE2
NAME, xrefs: 00273BC4, 00273BD5
REGEXPCLASS, xrefs: 00273AE4, 00273AF5

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k-
API String ID: 176396367-2057780728
Opcode ID: f7cd7362a1e2e734b46c95bf153511174df3399f1796a067699230608ee56cc5
Instruction ID: 57ca1c3c1d66795877954e4af98d32fb6812c4ec1b20ddeaa1ec388581a4efcb
Opcode Fuzzy Hash: f7cd7362a1e2e734b46c95bf153511174df3399f1796a067699230608ee56cc5
Instruction Fuzzy Hash: 00E1D731A20516ABCB24DFB8C4456EDFBB5BF14710F14C11AE45AF7250DB30AEB5AB90

Function 00230456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00230456

Part of subcall function 0023047D: InitializeCriticalSectionAndSpinCount.KERNEL32(002E170C,00000FA0,4738BCC2,?,?,?,?,00252753,000000FF), ref: 002304AC
Part of subcall function 0023047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00252753,000000FF), ref: 002304B7
Part of subcall function 0023047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00252753,000000FF), ref: 002304C8
Part of subcall function 0023047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002304DE
Part of subcall function 0023047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002304EC
Part of subcall function 0023047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002304FA
Part of subcall function 0023047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00230525
Part of subcall function 0023047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00230530

___scrt_fastfail.LIBCMT ref: 00230477

Part of subcall function 00230433: __onexit.LIBCMT ref: 00230439

Strings

WakeAllConditionVariable, xrefs: 002304F2
kernel32.dll, xrefs: 002304C3
SleepConditionVariableCS, xrefs: 002304E4
api-ms-win-core-synch-l1-2-0.dll, xrefs: 002304B2
InitializeConditionVariable, xrefs: 002304D8

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: d006696aaa6de69ad12e407fae130e00cf80d94e1df3360ee8c17d06f508ee92
Instruction ID: 04fab7a3f364eaf29e5dc48fd8983e9b25b4b1a584b06752dc1823f7ac8fe946
Opcode Fuzzy Hash: d006696aaa6de69ad12e407fae130e00cf80d94e1df3360ee8c17d06f508ee92
Instruction Fuzzy Hash: BB21F9B2AA07016FD7116FA4BCD9B6A77E4EB06FA1F400125F906966D0DF709C208E74

Function 00284E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,002ADCD0), ref: 00284E81
_wcslen.LIBCMT ref: 00284E95
_wcslen.LIBCMT ref: 00284EF3
_wcslen.LIBCMT ref: 00284F4E
_wcslen.LIBCMT ref: 00284F99
_wcslen.LIBCMT ref: 00285001

Part of subcall function 0022FD60: _wcslen.LIBCMT ref: 0022FD6B

GetDriveTypeW.KERNEL32(?,002D7C10,00000061), ref: 0028509D

Strings

network, xrefs: 00284FF7, 00284FFC
all, xrefs: 00284E8B, 00284E90
removable, xrefs: 00284F44, 00284F49
cdrom, xrefs: 00284EE9, 00284EEE
ramdisk, xrefs: 0028504B
unknown, xrefs: 00285062
fixed, xrefs: 00284F8F, 00284F94

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: da5cb63e95cb981621f34a4e0dea9b0b71f15fd2462bf090d96b1bd3d920ce51
Instruction ID: 0261c708e49e65a563ffd0832bccf2579fdf8542f477a3f6e03b2d2a4b3bdcac
Opcode Fuzzy Hash: da5cb63e95cb981621f34a4e0dea9b0b71f15fd2462bf090d96b1bd3d920ce51
Instruction Fuzzy Hash: 14B1F2356293139FC710FF28C890A6AB7E5BFA4714F50491DF59687291EB30D8A4CB92

Function 002A9A7D Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

DragQueryPoint.SHELL32(?,?), ref: 002A9AA6

Part of subcall function 002A7FD3: ClientToScreen.USER32(?,?), ref: 002A7FF9
Part of subcall function 002A7FD3: GetWindowRect.USER32(?,?), ref: 002A806F
Part of subcall function 002A7FD3: PtInRect.USER32(?,?,?), ref: 002A807F

SendMessageW.USER32(?,000000B0,?,?), ref: 002A9B0F
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002A9B1A
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002A9B3D
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002A9B84
SendMessageW.USER32(?,000000B0,?,?), ref: 002A9B9D
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9BB4
SendMessageW.USER32(?,000000B1,?,?), ref: 002A9BD6
DragFinish.SHELL32(?), ref: 002A9BDD
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 002A9CD0

Strings

@GUI_DRAGID, xrefs: 002A9C48
@GUI_DRAGFILE, xrefs: 002A9C7F
p3., xrefs: 002A9C1A
@GUI_DROPID, xrefs: 002A9BFD

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p3.
API String ID: 221274066-3864867779
Opcode ID: a891cb6c544f4189e573d3dac938a014675a7ff536fd5bf4b11aaf9b0ba93d8a
Instruction ID: 01ae77ac10f41558ac0867bd0c93d359069ab7d3b4f3857e6d3a5666fc24e528
Opcode Fuzzy Hash: a891cb6c544f4189e573d3dac938a014675a7ff536fd5bf4b11aaf9b0ba93d8a
Instruction Fuzzy Hash: BB617971518341AFC701EF60EC89D9FBBF8EF99310F40091EB592921A1DB70AA99CB52

Function 00294946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002ADCD0), ref: 00294A18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00294A2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,002ADCD0), ref: 00294A4F
FreeLibrary.KERNEL32(00000000,?,002ADCD0), ref: 00294A9B
StringFromGUID2.OLE32(?,?,00000028,?,002ADCD0), ref: 00294B05
SysFreeString.OLEAUT32(00000009), ref: 00294BBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00294C25
SysFreeString.OLEAUT32(?), ref: 00294C4F

Strings

kernel32.dll, xrefs: 00294A13
GetModuleHandleExW, xrefs: 00294A24

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: dfea9d82ab174e979ff42495dbce85bbfe6b4192279460e662555dee23346d7e
Instruction ID: 017ee25a8ad67ff15cec6a7e3eb7fa7526dc67605c3ee441842dc340fe94909e
Opcode Fuzzy Hash: dfea9d82ab174e979ff42495dbce85bbfe6b4192279460e662555dee23346d7e
Instruction Fuzzy Hash: 1E126E75A10105EFDF14DF94C888EAEB7B5FF49318F148098E9499B251DB31ED52CBA0

Function 002137A6 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002E2990), ref: 00253F4C
GetMenuItemCount.USER32(002E2990), ref: 00253FFC
GetCursorPos.USER32(?), ref: 00254040
SetForegroundWindow.USER32(00000000), ref: 00254049
TrackPopupMenuEx.USER32(002E2990,00000000,?,00000000,00000000,00000000), ref: 0025405C
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00254068

Strings

0, xrefs: 002137B4

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ee7019294991357f49199d4a2b0494cae184a76d104af3dfef6a537b06e8c29d
Instruction ID: e1962ff6d0b7dfefffd69ba2ff388c6b4b0e257e88184a3fbb85dada6b555d27
Opcode Fuzzy Hash: ee7019294991357f49199d4a2b0494cae184a76d104af3dfef6a537b06e8c29d
Instruction Fuzzy Hash: 95712A70610206BBEB21CF68DC49FAABFA9FF01368F204216F915A65E0C7B19D74CB54

Function 002A7638 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 002A774A

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002A77BE
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002A77E0
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A77F3
DestroyWindow.USER32(?), ref: 002A7814
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00210000,00000000), ref: 002A7843
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A785C
GetDesktopWindow.USER32 ref: 002A7875
GetWindowRect.USER32(00000000), ref: 002A787C
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002A7894
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002A78AC

Part of subcall function 002121E4: GetWindowLongW.USER32(?,000000EB), ref: 002121F2

Strings

tooltips_class32, xrefs: 002A77B7, 002A783C
0, xrefs: 002A76F7

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7d5187815138be71d3d1ca5bf05fb907f20ce22aa7d71ab3da594819485fdc14
Instruction ID: 0132d1a9dc10289698268069129d05e923900ae3c4f946b517c226eb41420402
Opcode Fuzzy Hash: 7d5187815138be71d3d1ca5bf05fb907f20ce22aa7d71ab3da594819485fdc14
Instruction Fuzzy Hash: A971BA70558245AFD725CF18DC48FAABBEAFBCA300F14051DF98687261CB74A912DB29

Function 0028CDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028CE0D
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028CE20
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028CE34
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0028CE4D
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0028CE90
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0028CEA6
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028CEB1
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028CEE1
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0028CF39
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0028CF4D
InternetCloseHandle.WININET(00000000), ref: 0028CF58

Strings

, xrefs: 0028CED2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 807d915aadd0af0d6349351ceaceea926767c4b67ff6d6a1efb9a90f5916aa99
Instruction ID: 36b3a98a9826b3ea826bb139d3bfad9a81078e9458f42d915d29b8aa099b3fef
Opcode Fuzzy Hash: 807d915aadd0af0d6349351ceaceea926767c4b67ff6d6a1efb9a90f5916aa99
Instruction Fuzzy Hash: 82519074511209BFEB21AF60DC48AAB7BFDFF19744F10841AFA4686690DB34D914DBB0

Function 002A8ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 002A8EF1
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A8F01
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A8F0C
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A8F19
GlobalLock.KERNEL32(00000000), ref: 002A8F27
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A8F36
GlobalUnlock.KERNEL32(00000000), ref: 002A8F3F
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A8F46
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002A8F57
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,002B0C04,?), ref: 002A8F70
GlobalFree.KERNEL32(00000000), ref: 002A8F80
GetObjectW.GDI32(?,00000018,?), ref: 002A8FA0
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 002A8FD0
DeleteObject.GDI32(?), ref: 002A8FF8
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002A900E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 653673be8d7729b49c46e7eb19e76bde0ed5ca86d12e2c45603067117fd4d341
Instruction ID: 16c8761cb072cc2adce51abf1c469a6c4e8103d2537364085514b0159e5da3a0
Opcode Fuzzy Hash: 653673be8d7729b49c46e7eb19e76bde0ed5ca86d12e2c45603067117fd4d341
Instruction Fuzzy Hash: EA410675600205AFDB219F65EC8CEAABBB9EF8A751F104059F90AE7660DF709941CB20

Function 00281D91 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00281DD6
VariantCopy.OLEAUT32(?,?), ref: 00281DDF
VariantClear.OLEAUT32(?), ref: 00281DEB
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00281ECF
VarR8FromDec.OLEAUT32(?,?), ref: 00281F2B
VariantInit.OLEAUT32(?), ref: 00281FDC
SysFreeString.OLEAUT32(?), ref: 00282060
VariantClear.OLEAUT32(?), ref: 002820AC
VariantClear.OLEAUT32(?), ref: 002820BB
VariantInit.OLEAUT32(00000000), ref: 002820F7

Strings

Default, xrefs: 00281F83
%4d%02d%02d%02d%02d%02d, xrefs: 00281EF9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b1094c77f4881c62af43584159b4d7ad2feab1ac127dc3a94f25301e2bf55395
Instruction ID: 9257ea99b1bb120ba3df8558e50de61b0f01a77183349c0d754712ff4e29b69a
Opcode Fuzzy Hash: b1094c77f4881c62af43584159b4d7ad2feab1ac127dc3a94f25301e2bf55395
Instruction Fuzzy Hash: 78D13775A21616EBCB24AF64D884B69B7B8BF04701F108455FC05AB1C1CBB0ECB5DFA0

Function 00292EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00292F35
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00292F45
CreateCompatibleDC.GDI32(?), ref: 00292F51
SelectObject.GDI32(00000000,?), ref: 00292F5E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00292FCA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00293009
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0029302D
SelectObject.GDI32(?,?), ref: 00293035
DeleteObject.GDI32(?), ref: 0029303E
DeleteDC.GDI32(?), ref: 00293045
ReleaseDC.USER32(00000000,?), ref: 00293050

Strings

(, xrefs: 00292FEA

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 127f41d9dbdc52a0a7673a61a5ef5090ff5e78882e2d1c01288c2261a15633ed
Instruction ID: 4ae9707f14dec2687ce26b075c71eddc835ec4c07906de4ca14cb5cf6a359fc4
Opcode Fuzzy Hash: 127f41d9dbdc52a0a7673a61a5ef5090ff5e78882e2d1c01288c2261a15633ed
Instruction Fuzzy Hash: 0761E3B5D10219EFCF04CFA4D884EAEBBB5FF48310F208529E55AA7650E771A951CFA0

Function 0024DDFD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0024DE41

Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024D9F9
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA0B
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA1D
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA2F
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA41
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA53
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA65
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA77
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA89
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DA9B
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DAAD
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DABF
Part of subcall function 0024D9DC: _free.LIBCMT ref: 0024DAD1

_free.LIBCMT ref: 0024DE36

Part of subcall function 00242D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4), ref: 00242D6E
Part of subcall function 00242D58: GetLastError.KERNEL32(002E1DC4,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4,002E1DC4), ref: 00242D80

_free.LIBCMT ref: 0024DE58
_free.LIBCMT ref: 0024DE6D
_free.LIBCMT ref: 0024DE78
_free.LIBCMT ref: 0024DE9A
_free.LIBCMT ref: 0024DEAD
_free.LIBCMT ref: 0024DEBB
_free.LIBCMT ref: 0024DEC6
_free.LIBCMT ref: 0024DEFE
_free.LIBCMT ref: 0024DF05
_free.LIBCMT ref: 0024DF22
_free.LIBCMT ref: 0024DF3A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 42c12c48c069d8fc86f14d1687ab684df3d9a23f9352f475cf35c8816097d813
Instruction ID: 9686f5dce7a33cf80f4f406405a679b5a402e687587a92876b26e350d80a594f
Opcode Fuzzy Hash: 42c12c48c069d8fc86f14d1687ab684df3d9a23f9352f475cf35c8816097d813
Instruction Fuzzy Hash: 93316D71A20706DFDB39AE39D845B5673E9EF20310F90492AF449DB1A1DF71ACE98B10

Function 00273EEA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00273F2B
_wcslen.LIBCMT ref: 00273F36
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00274026
GetClassNameW.USER32(?,?,00000400), ref: 0027409B
GetDlgCtrlID.USER32(?), ref: 002740EC
GetWindowRect.USER32(?,?), ref: 00274111
GetParent.USER32(?), ref: 0027412F
ScreenToClient.USER32(00000000), ref: 00274136
GetClassNameW.USER32(?,?,00000100), ref: 002741B0
GetWindowTextW.USER32(?,?,00000400), ref: 002741EC

Strings

%s%u, xrefs: 00273FC3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 49fc0282fabcac2281af1855e23b61b7e4768329f5e46ac11f7d1766207f771b
Instruction ID: 4cd6686a92829ed04fec8af805847b9eb26b4e28d37554df48da47567ac183ac
Opcode Fuzzy Hash: 49fc0282fabcac2281af1855e23b61b7e4768329f5e46ac11f7d1766207f771b
Instruction Fuzzy Hash: 5391CF71224207AFD719EF24D884FEAB7A8FF44354F408529F99EC2191DB30E965CB91

Function 002751E3 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00275223
GetWindowTextW.USER32(?,?,00000400), ref: 00275269
_wcslen.LIBCMT ref: 0027527A
CharUpperBuffW.USER32(?,00000000), ref: 00275286
_wcsstr.LIBVCRUNTIME ref: 002752BB
GetClassNameW.USER32(00000018,?,00000400), ref: 002752F3
GetWindowTextW.USER32(?,?,00000400), ref: 0027532C
GetClassNameW.USER32(00000018,?,00000400), ref: 00275375
GetClassNameW.USER32(?,?,00000400), ref: 002753AF
GetWindowRect.USER32(?,?), ref: 0027541A

Strings

ThumbnailClass, xrefs: 002752FE, 00275380

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5beeded7f57c1ac5ca875f78c185da929142629f99dfa9a91c5d9bddbe3818fc
Instruction ID: d374b1827192b18c7e356a3911de68cc26ef6282c7495fab02c76a47e2110ad7
Opcode Fuzzy Hash: 5beeded7f57c1ac5ca875f78c185da929142629f99dfa9a91c5d9bddbe3818fc
Instruction Fuzzy Hash: E79102711247169FCB04CF10D895BAAB7E8FF44354F048469FD8E9A092DBB0ED65CBA1

Function 002A966D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002A96B9
GetFocus.USER32 ref: 002A96C9
GetDlgCtrlID.USER32(00000000), ref: 002A96D4
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 002A977C
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002A982E
GetMenuItemCount.USER32(?), ref: 002A984B
GetMenuItemID.USER32(?,00000000), ref: 002A985B
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002A988D
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002A98CF
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002A9900

Strings

0, xrefs: 002A97FE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: dfc9db31b9353827d0c47c466dc38dedba2c5a822cd603c0201662acd30304e8
Instruction ID: 6c85b7e9e45c14a5e2827396eb8713aa29d8fd8a40377a4a88c1996b917884fc
Opcode Fuzzy Hash: dfc9db31b9353827d0c47c466dc38dedba2c5a822cd603c0201662acd30304e8
Instruction Fuzzy Hash: B981E0B15243029FDB10CF26DC84AABBBE8FF8A314F100519F98597291DF71D9A4CBA1

Function 0027C80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(002E2990,000000FF,00000000,00000030), ref: 0027C888
SetMenuItemInfoW.USER32(002E2990,00000004,00000000,00000030), ref: 0027C8BD
Sleep.KERNEL32(000001F4), ref: 0027C8CF
GetMenuItemCount.USER32(?), ref: 0027C915
GetMenuItemID.USER32(?,00000000), ref: 0027C932
GetMenuItemID.USER32(?,-00000001), ref: 0027C95E
GetMenuItemID.USER32(?,?), ref: 0027C9A5
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0027C9EB
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027CA00
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027CA21

Strings

0, xrefs: 0027C819

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 22c33ffdec1d368e16002cdf8845bb24013f1d96dfa50fe76466bbc8222c2234
Instruction ID: 0d0172632e566c22756951c97cbf5e9ac55a5091e3697f924d5ba0799a22e7d2
Opcode Fuzzy Hash: 22c33ffdec1d368e16002cdf8845bb24013f1d96dfa50fe76466bbc8222c2234
Instruction Fuzzy Hash: 16618F7092025AEBDF11CF74DC88AFE7BA8FB05304F248159E94AA3251DB74AD25CB61

Function 0027E3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0027E3E9
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0027E40F
_wcslen.LIBCMT ref: 0027E419
_wcsstr.LIBVCRUNTIME ref: 0027E469
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0027E485

Strings

StringFileInfo\, xrefs: 0027E458
\VarFileInfo\Translation, xrefs: 0027E47D
%u.%u.%u.%u, xrefs: 0027E563
DefaultLangCodepage, xrefs: 0027E4E8
04090000, xrefs: 0027E4BB

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2888c9022411141650d68ec89aa70bdaf6998dae6b8bb56b0ce78d8b440d989e
Instruction ID: 00df81f5126604e9cc289c3ed39e690e93909a1f8637bc49dac0277699c72422
Opcode Fuzzy Hash: 2888c9022411141650d68ec89aa70bdaf6998dae6b8bb56b0ce78d8b440d989e
Instruction Fuzzy Hash: A24149B25602147BEB00BB649C47EBF77ACDF56310F404096F809E6182FB749A219AB5

Function 0029D593 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0029D5C3
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0029D5EC
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029D6A7

Part of subcall function 0029D593: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0029D609
Part of subcall function 0029D593: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0029D61C
Part of subcall function 0029D593: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0029D62E
Part of subcall function 0029D593: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0029D664
Part of subcall function 0029D593: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0029D687

RegDeleteKeyW.ADVAPI32(?,?), ref: 0029D652

Strings

RegDeleteKeyExW, xrefs: 0029D628
advapi32.dll, xrefs: 0029D617

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: aa5b5bc65e2cca4d6cd13744dd4cff58c269e334daee7a8a781f19d010fe3ad6
Instruction ID: 48bfd1f88fe790e658b4fa072d8f145c18bc8e054f0856d70dcc13a3b50e1790
Opcode Fuzzy Hash: aa5b5bc65e2cca4d6cd13744dd4cff58c269e334daee7a8a781f19d010fe3ad6
Instruction Fuzzy Hash: F3316171911129BBDB209F51EC88EFFBB7CEF46710F000165F90AE2144DB709E46AAA0

Function 0027EEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0027EEE0

Part of subcall function 0022F27E: timeGetTime.WINMM(?,?,0027EF00), ref: 0022F282

Sleep.KERNEL32(0000000A), ref: 0027EF0D
EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 0027EF31
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0027EF53
SetActiveWindow.USER32 ref: 0027EF72
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0027EF80
SendMessageW.USER32(00000010,00000000,00000000), ref: 0027EF9F
Sleep.KERNEL32(000000FA), ref: 0027EFAA
IsWindow.USER32 ref: 0027EFB6
EndDialog.USER32(00000000), ref: 0027EFC7

Strings

BUTTON, xrefs: 0027EF45

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7ff884b4bfe7af97c53d55404db94eeb4df8835f77186f150fdc60f7e5a8a8d0
Instruction ID: 0038490cdbc3e3225892b71101fb062c1b64d7d38de69231ee9a4012096fc281
Opcode Fuzzy Hash: 7ff884b4bfe7af97c53d55404db94eeb4df8835f77186f150fdc60f7e5a8a8d0
Instruction Fuzzy Hash: FD21B070560245BFEF00AF70FCCCA2A3B6EF70A305B018495F41A86AB1CB718D208A75

Function 0027F228 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0027F289
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0027F29F
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0027F2B0
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0027F2C2
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0027F2D3

Strings

alias PlayMe, xrefs: 0027F262
play PlayMe wait, xrefs: 0027F2BD
play PlayMe, xrefs: 0027F2CE
open , xrefs: 0027F238
close PlayMe, xrefs: 0027F29A, 0027F2C7
status PlayMe mode, xrefs: 0027F284

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 687012d000378705b4ff9b528204b68e761088e6aec26dd6137f73a129920e34
Instruction ID: 2a572d523dab5b10d7fe7477b875c9566046f6abcfd7f28fa996db70eb4beae3
Opcode Fuzzy Hash: 687012d000378705b4ff9b528204b68e761088e6aec26dd6137f73a129920e34
Instruction Fuzzy Hash: BD11A732A7415979D710A7A1DC5AEFF6ABCDFE3B10F4004377801A21D1EAB01D65C9A1

Function 00243010 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00243024

Part of subcall function 00242D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4), ref: 00242D6E
Part of subcall function 00242D58: GetLastError.KERNEL32(002E1DC4,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4,002E1DC4), ref: 00242D80

_free.LIBCMT ref: 00243030
_free.LIBCMT ref: 0024303B
_free.LIBCMT ref: 00243046
_free.LIBCMT ref: 00243051
_free.LIBCMT ref: 0024305C
_free.LIBCMT ref: 00243067
_free.LIBCMT ref: 00243072
_free.LIBCMT ref: 0024307D
_free.LIBCMT ref: 0024308B

Strings

&+, xrefs: 0024301B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &+
API String ID: 776569668-2337533688
Opcode ID: 07bef7dfc890f6f18ad55844ea6b7eef80efc89d7fa31094cad4de1c8bbc4045
Instruction ID: 430deb2eda655c37f05b9af225173e64733cbfd6a25531d63ce4241d09d00e8a
Opcode Fuzzy Hash: 07bef7dfc890f6f18ad55844ea6b7eef80efc89d7fa31094cad4de1c8bbc4045
Instruction Fuzzy Hash: FE119676520148EFCB09EF55C842CDD3B69EF05350B8145A5B9189F132D671DEE59F80

Function 0027A86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0027A8EE
SetKeyboardState.USER32(?), ref: 0027A959
GetAsyncKeyState.USER32(000000A0), ref: 0027A979
GetKeyState.USER32(000000A0), ref: 0027A990
GetAsyncKeyState.USER32(000000A1), ref: 0027A9BF
GetKeyState.USER32(000000A1), ref: 0027A9D0
GetAsyncKeyState.USER32(00000011), ref: 0027A9FC
GetKeyState.USER32(00000011), ref: 0027AA0A
GetAsyncKeyState.USER32(00000012), ref: 0027AA33
GetKeyState.USER32(00000012), ref: 0027AA41
GetAsyncKeyState.USER32(0000005B), ref: 0027AA6A
GetKeyState.USER32(0000005B), ref: 0027AA78

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: dc74ccb9ca9101d9c65d4e213e24d235555f921b30e7fd14783023e91c9ef0f1
Instruction ID: 2ae295b2c58bf278469f91eba465876fe77c47d3cddc5c3f4db639dd7d391b14
Opcode Fuzzy Hash: dc74ccb9ca9101d9c65d4e213e24d235555f921b30e7fd14783023e91c9ef0f1
Instruction Fuzzy Hash: 2A51162091478669EB35EFB088147AEBFB49F42350F08C58AD5CA1B5C2DA749A5CCB63

Function 00276555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00276571
GetWindowRect.USER32(00000000,?), ref: 0027658A
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 002765E8
GetDlgItem.USER32(?,00000002), ref: 002765F8
GetWindowRect.USER32(00000000,?), ref: 0027660A
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 0027665E
GetDlgItem.USER32(?,000003E9), ref: 0027666C
GetWindowRect.USER32(00000000,?), ref: 0027667E
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 002766C0
GetDlgItem.USER32(?,000003EA), ref: 002766D3
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002766E9
InvalidateRect.USER32(?,00000000,00000001), ref: 002766F6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 60df29c0656f53fdf47f1d1208c33faf70ac7bc1f70610f36164347dad3cdcf7
Instruction ID: df14b03e1e1e6a6fb789a3d4c5eb9327d294197eeb9570da771eea76d761cae6
Opcode Fuzzy Hash: 60df29c0656f53fdf47f1d1208c33faf70ac7bc1f70610f36164347dad3cdcf7
Instruction Fuzzy Hash: 45515370B10606AFDF08CF68DD89AAEBBB9FB48700F548128F51AE7690DB709D14CB50

Function 0021146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00211802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00211488,?,00000000,?,?,?,?,0021145A,00000000,?), ref: 00211865

DestroyWindow.USER32(?), ref: 00211521
KillTimer.USER32(00000000,?,?,?,?,0021145A,00000000,?), ref: 002115BB
DestroyAcceleratorTable.USER32(00000000), ref: 002529D4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0021145A,00000000,?), ref: 00252A02
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0021145A,00000000,?), ref: 00252A19
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0021145A,00000000), ref: 00252A35
DeleteObject.GDI32(00000000), ref: 00252A47

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4669f734e8d36a9dbadbeb830ef90bdd19a6ede8320d0dc236fd65d4231cde8b
Instruction ID: de762b2bc1b72eafa84d67f2564d9268bc52b4e6719d8685a542bc158d571373
Opcode Fuzzy Hash: 4669f734e8d36a9dbadbeb830ef90bdd19a6ede8320d0dc236fd65d4231cde8b
Instruction Fuzzy Hash: C761BE31520612EFDB358F14E988B69B7F6FB91312F605418E5434AAA0C7B0A9F8DF54

Function 002120D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002121E4: GetWindowLongW.USER32(?,000000EB), ref: 002121F2

GetSysColor.USER32(0000000F), ref: 00212102

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7f39e7edee4e1a68a8f793c24c544b4b6c521b0a20bdcb2ef935a9122039d53b
Instruction ID: a6b32bb69e06334ec8cff442fffdd0c74a7567b18aac7247dad413c92169d11a
Opcode Fuzzy Hash: 7f39e7edee4e1a68a8f793c24c544b4b6c521b0a20bdcb2ef935a9122039d53b
Instruction Fuzzy Hash: 3841D771110640EFDB20DF38AC48BFA37A5EB56361F144605FAAA872E2C7719DA6DB10

Function 00270F6E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00271032
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0027104E
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0027106A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00271094
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 002710BC
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002710C7
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002710CC

Strings

\IPC$, xrefs: 00271014
SOFTWARE\Classes\, xrefs: 00270F9E
\CLSID, xrefs: 00270FB4

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5dd5f49ccea3611fd4a31d3cc44690e0da0c342a7afc2f4c06a3bfaaded8acd7
Instruction ID: 414719f116289d54b6e5ccb837510557a803213ebdac7ff2728697016406c1ef
Opcode Fuzzy Hash: 5dd5f49ccea3611fd4a31d3cc44690e0da0c342a7afc2f4c06a3bfaaded8acd7
Instruction Fuzzy Hash: A3410872C20229ABCF21EFA4DC959EDB7B9BF14300F444069F905A3161EB719D68CF50

Function 002A48F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002A499A
CreateCompatibleDC.GDI32(00000000), ref: 002A49A1
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002A49B4
SelectObject.GDI32(00000000,00000000), ref: 002A49BC
GetPixel.GDI32(00000000,00000000,00000000), ref: 002A49C7
DeleteDC.GDI32(00000000), ref: 002A49D1
GetWindowLongW.USER32(?,000000EC), ref: 002A49DB
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 002A49F1
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 002A49FD

Strings

static, xrefs: 002A4932

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9c6700fb86888c9c08eaabe1120197266d0ac969b10fab79c170ca01462d06f2
Instruction ID: 4f1b1370657330cb9778acf1776ec250a248b7026d06d324929f910770f31495
Opcode Fuzzy Hash: 9c6700fb86888c9c08eaabe1120197266d0ac969b10fab79c170ca01462d06f2
Instruction Fuzzy Hash: BC317272110216BBDF11AF64DC08FDB3B69FF4E724F110211FA5AA60A0DB75E821DB94

Function 0029458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002945B9
CoInitialize.OLE32(00000000), ref: 002945E7
CoUninitialize.OLE32 ref: 002945F1
_wcslen.LIBCMT ref: 0029468A
GetRunningObjectTable.OLE32(00000000,?), ref: 0029470E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00294832
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0029486B
CoGetObject.OLE32(?,00000000,002B0B64,?), ref: 0029488A
SetErrorMode.KERNEL32(00000000), ref: 0029489D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00294921
VariantClear.OLEAUT32(?), ref: 00294935

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3ac0f409fb2f2f2cbb6cc571ef5b0dc92259286b9076903d2fb212d9a812b554
Instruction ID: dab30ed8c4e4ed87d602308b6f05d5c60111529804502a5b94b4a39768ba0a9b
Opcode Fuzzy Hash: 3ac0f409fb2f2f2cbb6cc571ef5b0dc92259286b9076903d2fb212d9a812b554
Instruction Fuzzy Hash: 6FC135B16243059F9B00EF68C884D6BB7E9FF89748F10495DF98A9B210DB70EC56CB52

Function 002883F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0028844D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002884E9
SHGetDesktopFolder.SHELL32(?), ref: 002884FD
CoCreateInstance.OLE32(002B0CD4,00000000,00000001,002D7E8C,?), ref: 00288549
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002885CE
CoTaskMemFree.OLE32(?,?), ref: 00288626
SHBrowseForFolderW.SHELL32(?), ref: 002886B1
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002886D4
CoTaskMemFree.OLE32(00000000), ref: 002886DB
CoTaskMemFree.OLE32(00000000), ref: 00288730
CoUninitialize.OLE32 ref: 00288736

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 0bad67e33ae810f6bd0b1b16695cc7b4954312e0420661d9c8b2b63ea1d25605
Instruction ID: 20c352ec0472475781689fd8c7037d631f58559423602d04fdebaae1690cb769
Opcode Fuzzy Hash: 0bad67e33ae810f6bd0b1b16695cc7b4954312e0420661d9c8b2b63ea1d25605
Instruction Fuzzy Hash: C8C12A79A10119AFCB14DFA4C888DAEBBF9FF49304B548098E51AEB661DB30ED45CF50

Function 002A5D7C Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002A5E63
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A5E74
CharNextW.USER32(00000158), ref: 002A5EA3
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002A5EE4
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002A5EFA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A5F0B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: e4eddc779b96fdf3e922181b3ba30c52439399c2613a57fa098c88b0a71f89ea
Instruction ID: 675c10fda70af5c9fda9c553c35df24e741ee77456caab4b2973531280b322d2
Opcode Fuzzy Hash: e4eddc779b96fdf3e922181b3ba30c52439399c2613a57fa098c88b0a71f89ea
Instruction Fuzzy Hash: E6619070921619AFDF118F94DC88AFF7BB8EB07710F144145F921A6290CFB09A55CF60

Function 00270318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0027033F
SafeArrayAllocData.OLEAUT32(?), ref: 00270398
VariantInit.OLEAUT32(?), ref: 002703AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 002703CA
VariantCopy.OLEAUT32(?,?), ref: 0027041D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00270431
VariantClear.OLEAUT32(?), ref: 00270446
SafeArrayDestroyData.OLEAUT32(?), ref: 00270453
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0027045C
VariantClear.OLEAUT32(?), ref: 0027046E
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00270479

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 80d396ed5ae4d5c78f39e88c0b9f16de99582fb3ffd746576192c14562bf6ef1
Instruction ID: 360bc85cd7db3d49ce4df0cedae37a6d1a1903c6272507da1b280752580bb3aa
Opcode Fuzzy Hash: 80d396ed5ae4d5c78f39e88c0b9f16de99582fb3ffd746576192c14562bf6ef1
Instruction Fuzzy Hash: AB414175A10219EFCF00DF64D8989EEBBB9FF58344F008069E95AA7261CB70A955CF90

Function 002AA8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

GetSystemMetrics.USER32(0000000F), ref: 002AA926
GetSystemMetrics.USER32(0000000F), ref: 002AA946
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002AAB83
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002AABA1
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002AABC2
ShowWindow.USER32(00000003,00000000), ref: 002AABE1
InvalidateRect.USER32(?,00000000,00000001), ref: 002AAC06
DefDlgProcW.USER32(?,00000005,?,?), ref: 002AAC29

Strings

, xrefs: 002AAB37

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-3916222277
Opcode ID: 5ec35a4dcb12167bf506726cbe87c72272f10e5cb758756c665321736ed2feba
Instruction ID: 253d40526dcd194ef5468982bb6a0d2b9582b3884956572bf6b256927d7d03d7
Opcode Fuzzy Hash: 5ec35a4dcb12167bf506726cbe87c72272f10e5cb758756c665321736ed2feba
Instruction Fuzzy Hash: D9B1AD3161021ADFDF14CF28C9897AE7BF2FF45704F188069EC4A9B295DB70A964CB61

Function 00290EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00290F19
inet_addr.WSOCK32(?), ref: 00290F79
gethostbyname.WSOCK32(?), ref: 00290F85
IcmpCreateFile.IPHLPAPI ref: 00290F93
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00291023
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00291042
IcmpCloseHandle.IPHLPAPI(?), ref: 00291116
WSACleanup.WSOCK32 ref: 0029111C

Strings

Ping, xrefs: 00290FD3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a30c95e44d34ca94955a522826a84c895cf8f0849ebeab89db56e44485952fe3
Instruction ID: 831f3f35f4ea625a0ae2d4b58e42c7f9cdd5d0f23fa756fbdd314ce0a7cb8fd7
Opcode Fuzzy Hash: a30c95e44d34ca94955a522826a84c895cf8f0849ebeab89db56e44485952fe3
Instruction Fuzzy Hash: C791B231614242AFDB20DF16C889F16BBE0FF44318F148599F5698B6A2C771EDA5CF81

Function 00299632 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00299652

Part of subcall function 002796E3: _wcslen.LIBCMT ref: 00279706

_wcslen.LIBCMT ref: 002996AD
_wcslen.LIBCMT ref: 002996FB
_wcslen.LIBCMT ref: 0029973B
_wcslen.LIBCMT ref: 002997CD

Strings

cdecl, xrefs: 002996A7, 002996AC
stdcall, xrefs: 00299735, 0029973A
winapi, xrefs: 002996F5, 002996FA
none, xrefs: 002997C4, 002997C9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: cdeb96140cd4a64154b8e8c4f93c7f4f296a45e37101c13bd56d4fee617ee6d5
Instruction ID: 9c604523d29cec2922259481fb816d0e69a7c5f3896c99bdbab957833b887384
Opcode Fuzzy Hash: cdeb96140cd4a64154b8e8c4f93c7f4f296a45e37101c13bd56d4fee617ee6d5
Instruction Fuzzy Hash: D8518F71A241179BCF14DFACC9519FDB3A5BF25364B20422DE826E7284EB35DDA0CB90

Function 00294089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 002940D1
CoUninitialize.OLE32 ref: 002940DC
CoCreateInstance.OLE32(?,00000000,00000017,002B0B44,?), ref: 00294136
IIDFromString.OLE32(?,?), ref: 002941A9
VariantInit.OLEAUT32(?), ref: 00294241
VariantClear.OLEAUT32(?), ref: 00294293

Strings

NULL Pointer assignment, xrefs: 0029417B
Failed to create object, xrefs: 00294141, 002941F7
Invalid parameter, xrefs: 002941C2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6be0fa58018b972b481f2551101595e146cdb2251299ba6aa9ee316e9cbb9d6c
Instruction ID: 0c42588ec63e11420af1ed824c78117ea71495f704801c4567007ca4316cdbfb
Opcode Fuzzy Hash: 6be0fa58018b972b481f2551101595e146cdb2251299ba6aa9ee316e9cbb9d6c
Instruction Fuzzy Hash: CC61B1706243019FDB10EF64D888F5ABBE4FF59714F000409F9899B291DB70EDA5CB92

Function 00288AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00288BB1
SystemTimeToFileTime.KERNEL32(?,?), ref: 00288BC1
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00288BCD
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00288C6A
SetCurrentDirectoryW.KERNEL32(?), ref: 00288C7E
SetCurrentDirectoryW.KERNEL32(?), ref: 00288CB0
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00288CE6
SetCurrentDirectoryW.KERNEL32(?), ref: 00288CEF

Strings

*.*, xrefs: 00288CF5

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6421adc5d9fb143b552e332894b2399eef2cd8117e6fe19829273825892fb506
Instruction ID: c2133a0158fbe8266246da0e393fbfcbc0738fe1ab541ae905e16a86ec2b0036
Opcode Fuzzy Hash: 6421adc5d9fb143b552e332894b2399eef2cd8117e6fe19829273825892fb506
Instruction Fuzzy Hash: A9616AB65243059FCB10EF20C844AAEB3E8FF99314F44885AF989C7291DB31E955CF92

Function 002A9461 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

Part of subcall function 002119CD: GetCursorPos.USER32(?), ref: 002119E1
Part of subcall function 002119CD: ScreenToClient.USER32(00000000,?), ref: 002119FE
Part of subcall function 002119CD: GetAsyncKeyState.USER32(00000001), ref: 00211A23
Part of subcall function 002119CD: GetAsyncKeyState.USER32(00000002), ref: 00211A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 002A94CA
ImageList_EndDrag.COMCTL32 ref: 002A94D0
ReleaseCapture.USER32 ref: 002A94D6
SetWindowTextW.USER32(?,00000000), ref: 002A9571
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002A9584
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 002A965E

Strings

@GUI_DRAGFILE, xrefs: 002A95F9
p3., xrefs: 002A95D0
@GUI_DROPID, xrefs: 002A95B0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p3.
API String ID: 1924731296-3935515571
Opcode ID: 2c7fb1211df965735ae23a7e4ec7e9d4c1cad1a82dea779cce857a85d60bcdb0
Instruction ID: 3adfd77578e20566b73f5132f3fb68dea2b760b6987357685d0519aebceef019
Opcode Fuzzy Hash: 2c7fb1211df965735ae23a7e4ec7e9d4c1cad1a82dea779cce857a85d60bcdb0
Instruction Fuzzy Hash: 8B51A970614344AFD704EF20DC9AFAA77E8FF89710F500519FA96962E2CB709968CF52

Function 00283CE2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00283D29

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00283D4A

Strings

Line %d (File "%s"):, xrefs: 00283D9D, 00283DB6
^ ERROR , xrefs: 00283DF8
Error: , xrefs: 00283E2B
"%s" (%d) : ==> %s:%s%s, xrefs: 00283E5E
Incorrect parameters to object property !, xrefs: 00283E05
"%s" (%d) : ==> %s:, xrefs: 00283E7C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6870a5d922e2bb77e08e3cae5053219942dc4df7a88a3287b2dad680bb2cf864
Instruction ID: 3f87b867692a1350ca41318b4772a779813c822f76b8f245c6568e3bf0d9c733
Opcode Fuzzy Hash: 6870a5d922e2bb77e08e3cae5053219942dc4df7a88a3287b2dad680bb2cf864
Instruction Fuzzy Hash: DB51923192014AAACF15FBE0DD46EEEB7B9AF24700F5040A5B405721A2EB752FB9DF50

Function 0027BEA4 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0027BED8
_wcslen.LIBCMT ref: 0027BEE4
_wcslen.LIBCMT ref: 0027BF29
_wcslen.LIBCMT ref: 0027BF68
_wcslen.LIBCMT ref: 0027BFA3

Strings

KEYS, xrefs: 0027BF23, 0027BF28
EXISTS, xrefs: 0027BF62, 0027BF67
REMOVE, xrefs: 0027BEDE, 0027BEE3
APPEND, xrefs: 0027BF9D, 0027BFA2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6fd45e56006809cf1c91095a47ae5fadf2475951073e3c8a969f52c6091dceb6
Instruction ID: 96990b2f12e63c25ac27b25f7214a3b5048608e291a3547256b0e941449aa210
Opcode Fuzzy Hash: 6fd45e56006809cf1c91095a47ae5fadf2475951073e3c8a969f52c6091dceb6
Instruction Fuzzy Hash: 9A412932A201279BCB116F7DCC506BEB7A5BF60B54F20852AF429C7684E735CCA1CB91

Function 00285CED Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00285CFA
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00285D70
GetLastError.KERNEL32 ref: 00285D7A
SetErrorMode.KERNEL32(00000000,READY), ref: 00285E01

Strings

INVALID, xrefs: 00285DB3
NOTREADY, xrefs: 00285DA5
UNKNOWN, xrefs: 00285D9E
READONLY, xrefs: 00285DAC
READY, xrefs: 00285DBA, 00285DC2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66b3dd55438911e55ed782224022a7d9b80e3609875bf521e75ede155deaf337
Instruction ID: e1df3d3f8b074af30adbf4a69e4c9862dafc36f9ec728688690e922facbe4dbf
Opcode Fuzzy Hash: 66b3dd55438911e55ed782224022a7d9b80e3609875bf521e75ede155deaf337
Instruction Fuzzy Hash: 8C31B239A215169FCB10EF68C48CAAABBF5EF05304F148095E806DB3E2D775DD52CB91

Function 002A45A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 002A45D8
SetMenu.USER32(?,00000000), ref: 002A45E7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A466F
IsMenu.USER32(?), ref: 002A4683
CreatePopupMenu.USER32 ref: 002A468D
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A46BA
DrawMenuBar.USER32 ref: 002A46C2

Strings

0, xrefs: 002A45B3
F, xrefs: 002A46AD

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: e4d59b8890fd470e959a5fc0ec50ae54b8cc30be64b1683feaf5cc14124da61c
Instruction ID: 9a4c01abb42e1540bd43c7e1e90e18981536a4582a1de4e071e79784c0e8fae5
Opcode Fuzzy Hash: e4d59b8890fd470e959a5fc0ec50ae54b8cc30be64b1683feaf5cc14124da61c
Instruction Fuzzy Hash: 9C417E75A1130AEFDB14DF65E898AAA7BB9FF4A314F140028FA4697350DB70E924CF50

Function 0027276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 002727F4
GetDlgCtrlID.USER32 ref: 002727FF
GetParent.USER32 ref: 0027281B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027281E
GetDlgCtrlID.USER32(?), ref: 00272827
GetParent.USER32(?), ref: 0027283B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027283E

Strings

ComboBox, xrefs: 0027277C
ListBox, xrefs: 002727B1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: bb47d02d0c257ffa104206ad709eb2f82b5e57552bba72cef217035694bd89bf
Instruction ID: 3de661b6a430662368631a82154a9a9eb316d5ca58df5e35cba60696ee8c9cea
Opcode Fuzzy Hash: bb47d02d0c257ffa104206ad709eb2f82b5e57552bba72cef217035694bd89bf
Instruction Fuzzy Hash: FF21CF70D10118EBCF05AFA0DC89EEEBBB8EF16310B004156F965A72A1CB7558288F60

Function 00272850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 002728D3
GetDlgCtrlID.USER32 ref: 002728DE
GetParent.USER32 ref: 002728FA
SendMessageW.USER32(00000000,?,00000111,?), ref: 002728FD
GetDlgCtrlID.USER32(?), ref: 00272906
GetParent.USER32(?), ref: 0027291A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027291D

Strings

ComboBox, xrefs: 0027285D
ListBox, xrefs: 00272892

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: dc36c38727a7e1732a55e81c83df33def7dab7913ad047d9f03dd7647fb28e35
Instruction ID: 8e57f129a387af7b2f8ad9ca4a3dfa6d33ad5bc22daac17cbbcc33643cdde892
Opcode Fuzzy Hash: dc36c38727a7e1732a55e81c83df33def7dab7913ad047d9f03dd7647fb28e35
Instruction Fuzzy Hash: 7021CF71D10108EBCF11AFA0EC48EEEBBB8EF15300F108046B955A3291CB7588688F20

Function 002A4382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A43FC
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A43FF
GetWindowLongW.USER32(?,000000F0), ref: 002A4426
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A4449
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A44C1
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002A450B
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002A4526
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002A4541
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002A4555
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002A4572

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e5d22ecb0eea0d7a621cd8ed3d9279540439d69a617dd6994c974cafab22964a
Instruction ID: 629c0a3d43d36de98f6c2eb6d2117175ef592698fddb56fb1b7b1b73d13c0130
Opcode Fuzzy Hash: e5d22ecb0eea0d7a621cd8ed3d9279540439d69a617dd6994c974cafab22964a
Instruction Fuzzy Hash: 08618D75910248EFDB11DFA4CC81EEE77B8EF4A310F100159FA15A72A1CBB0A955CF50

Function 0027BA0B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027BA2D
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BA41
GetWindowThreadProcessId.USER32(00000000), ref: 0027BA48
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BA57
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027BA69
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BA82
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BA94
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BAD9
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BAEE
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0027AABD,?,00000001), ref: 0027BAF9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b176892c7b0566674f34145794c5f6f69c2175e78aa8b4f981855a9d780062d3
Instruction ID: 33f80f0b02eecaae39c2f83e4b0c2db65ec0f65fff6e35830c4f16a68fc30906
Opcode Fuzzy Hash: b176892c7b0566674f34145794c5f6f69c2175e78aa8b4f981855a9d780062d3
Instruction Fuzzy Hash: A631BF76550205AFDB16FF15FC8CBA977A9AB46311F10C425FA09CB190DBB4ED408B50

Function 0028874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00288907
SetCurrentDirectoryW.KERNEL32(?), ref: 0028891B
GetFileAttributesW.KERNEL32(?), ref: 00288945
SetFileAttributesW.KERNEL32(?,00000000), ref: 0028895F
SetCurrentDirectoryW.KERNEL32(?), ref: 00288971
SetCurrentDirectoryW.KERNEL32(?), ref: 002889BA
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00288A0A

Strings

*.*, xrefs: 002889C0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ec3c2b1c5472f18d77c3bf183fbb645510fe971b1095ffc8094e20f3f70bef1a
Instruction ID: 449da1fa6d776442a8ca649fe6a5a5ff9f08dd8004243f81f6b39fa14a0e9dc4
Opcode Fuzzy Hash: ec3c2b1c5472f18d77c3bf183fbb645510fe971b1095ffc8094e20f3f70bef1a
Instruction Fuzzy Hash: 2381C47A5253059FCB20FF14C844AAAB3E9BF95310F94881AF885C7291DB74ED64CF92

Function 002172F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00217387

Part of subcall function 00217417: GetClientRect.USER32(?,?), ref: 0021743D
Part of subcall function 00217417: GetWindowRect.USER32(?,?), ref: 0021747E
Part of subcall function 00217417: ScreenToClient.USER32(?,?), ref: 002174A6

GetDC.USER32 ref: 00256045
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00256058
SelectObject.GDI32(00000000,00000000), ref: 00256066
SelectObject.GDI32(00000000,00000000), ref: 0025607B
ReleaseDC.USER32(?,00000000), ref: 00256083
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00256114

Strings

U, xrefs: 00255FE3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e4f1b6240d3dad064a8a5061457c29c7f6855c6bb4a1314afe53d81f1f9c25b5
Instruction ID: 55ff9c78242c5f9b9a95dcc8513f680cd6e9daa79cd5edae5e197793969bb6a7
Opcode Fuzzy Hash: e4f1b6240d3dad064a8a5061457c29c7f6855c6bb4a1314afe53d81f1f9c25b5
Instruction Fuzzy Hash: EF71E231420206DFCF258F64C888AFA7BB5FF49326F144269ED565B2A6C7318CA9DF50

Function 00283EF6 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,002ADCEC), ref: 00283F3E

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

LoadStringW.USER32(?,?,00000FFF,?), ref: 00283F64

Strings

Line %d (File "%s"):, xrefs: 00283FC5
Error: , xrefs: 00284049
^ ERROR, xrefs: 00284023
"%s" (%d) : ==> %s:%s%s, xrefs: 0028407E
"%s" (%d) : ==> %s:, xrefs: 0028409C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ef7152007894473380cf391ef8825f7f847f32538a5688957d6c53439ff5f971
Instruction ID: 6155e26267ba0d91dfaec9a3e1958233805cf16874202af90057967e8827f8ff
Opcode Fuzzy Hash: ef7152007894473380cf391ef8825f7f847f32538a5688957d6c53439ff5f971
Instruction Fuzzy Hash: C9517E3181015AABCF15FBE0DC46EEEBB79AF24300F044165F505720A2DB712AE9DF90

Function 0028CBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028CBCF
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0028CBF7
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0028CC27
GetLastError.KERNEL32 ref: 0028CC7F
SetEvent.KERNEL32(?), ref: 0028CC93
InternetCloseHandle.WININET(00000000), ref: 0028CC9E

Strings

, xrefs: 0028CC18

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 96f5934ce54004d48cf5bf8a1b28c32c4c56c4158c33b125540f007f8cc8dbc4
Instruction ID: 13ebef76701dfe4920555846c2ab36e7215524712b205c49939854a818e5aae5
Opcode Fuzzy Hash: 96f5934ce54004d48cf5bf8a1b28c32c4c56c4158c33b125540f007f8cc8dbc4
Instruction Fuzzy Hash: 9C31CEB9521304AFD721AF65DD88AAB7BFCEB49744B20052EF44AD2680DB34D9189B70

Function 0027A12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00255437,?,?,Bad directive syntax error,002ADCD0,00000000,00000010,?,?), ref: 0027A14B
LoadStringW.USER32(00000000,?,00255437,?), ref: 0027A152

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0027A216

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0027A180
Line %d (File "%s"):, xrefs: 0027A1BC
Line %d:, xrefs: 0027A1A1
Error: , xrefs: 0027A1E4
., xrefs: 0027A1FC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 78513e2f78822e8303d77addca3adcda35b40a35b72f21a3f9fb37982cfdff5a
Instruction ID: a502eaf774316a463e90574eb73dc70bbf156ac410b5bd8092620ead84249872
Opcode Fuzzy Hash: 78513e2f78822e8303d77addca3adcda35b40a35b72f21a3f9fb37982cfdff5a
Instruction Fuzzy Hash: 7521823182021EBFCF02AF90DC0AEEE7779BF29304F444456F509650A2EA759A78DF11

Function 0027292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0027293B
GetClassNameW.USER32(00000000,?,00000100), ref: 00272950
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002729DD

Strings

largeicons, xrefs: 00272971
details, xrefs: 0027298B
smallicons, xrefs: 002729A5
list, xrefs: 002729BF
SHELLDLL_DefView, xrefs: 0027295C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2d72fc4624065d374e03f5e15a839cd44dc1478b1a99f4f6f7a856e9cf2f78de
Instruction ID: 68129a450d1405fcfaf3567cd1060ca2d3765903430ec809b70a6749b237dd0a
Opcode Fuzzy Hash: 2d72fc4624065d374e03f5e15a839cd44dc1478b1a99f4f6f7a856e9cf2f78de
Instruction Fuzzy Hash: 3911E3B66A430BFAFA002620EC0BDFA779CCF06724F344013FA09E41D1EAB1B8745954

Function 0024D230 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0024D257
_free.LIBCMT ref: 0024D2C2
_free.LIBCMT ref: 0024D2E8
_free.LIBCMT ref: 0024D311
_free.LIBCMT ref: 0024D349
_free.LIBCMT ref: 0024D37A
_free.LIBCMT ref: 0024D3BB
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0024D43C
_free.LIBCMT ref: 0024D455

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0409bbd43b5f3003dcd5052bdced854adf4b59321aa4ef30baaa9f3aa7577f96
Instruction ID: deb0a94c0e52866eeed6c7526f966b9ca8569d6eae8338026e461dac0aa95f11
Opcode Fuzzy Hash: 0409bbd43b5f3003dcd5052bdced854adf4b59321aa4ef30baaa9f3aa7577f96
Instruction Fuzzy Hash: 48612971D20346EFDF2DAF74AC857697BE89F01710F0401ADFD04AB282D6B198648F91

Function 002113A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002528F1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 0025290A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0025291A
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00252932
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00252953
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002111F5,00000000,00000000,00000000,000000FF,00000000), ref: 00252962
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0025297F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002111F5,00000000,00000000,00000000,000000FF,00000000), ref: 0025298E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5760c0f0a22951e8f2f2d2a78d1caeaa4f77590835787de109ff934e8be74732
Instruction ID: 672be7c378363f6a3cb6ca0e98e00f73b998bd4dacc059c3782cc545807bd5de
Opcode Fuzzy Hash: 5760c0f0a22951e8f2f2d2a78d1caeaa4f77590835787de109ff934e8be74732
Instruction Fuzzy Hash: 3D519D3062020AEFDB24CF25DC45BAA77F5EF59710F204518FA56972E0DB70E9A4DB50

Function 0028CAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0028CADF
GetLastError.KERNEL32 ref: 0028CAF2
SetEvent.KERNEL32(?), ref: 0028CB06

Part of subcall function 0028CBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0028CBCF
Part of subcall function 0028CBB0: GetLastError.KERNEL32 ref: 0028CC7F
Part of subcall function 0028CBB0: SetEvent.KERNEL32(?), ref: 0028CC93
Part of subcall function 0028CBB0: InternetCloseHandle.WININET(00000000), ref: 0028CC9E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 9728bdf75be00b39a43348889690483812b62b82861a715ba84fe83cb3291656
Instruction ID: ecc065a787e4ce4a184b6de4d59b5faf4e664e45e945dfd67b7686724ab2af47
Opcode Fuzzy Hash: 9728bdf75be00b39a43348889690483812b62b82861a715ba84fe83cb3291656
Instruction Fuzzy Hash: 5031AE79212B05BFDB25AF60DD49A76BBF8FF49304B20441DF89682650DB30E824DB60

Function 00272E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002742CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 002742E6
Part of subcall function 002742CC: GetCurrentThreadId.KERNEL32 ref: 002742ED
Part of subcall function 002742CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00272E43), ref: 002742F4

MapVirtualKeyW.USER32(00000025,00000000), ref: 00272E4D
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00272E6B
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00272E6F
MapVirtualKeyW.USER32(00000025,00000000), ref: 00272E79
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00272E91
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00272E95
MapVirtualKeyW.USER32(00000025,00000000), ref: 00272E9F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00272EB3
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00272EB7

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bf97a97cf3ad3b38a8b733b1da56e7f3d2a33b8e43ce3fde0bdd43344b1f18c5
Instruction ID: f3b0c8de1a9ca95f37dbc3565fa7a141d95b8dab7bc859c9e5749d3647a2361a
Opcode Fuzzy Hash: bf97a97cf3ad3b38a8b733b1da56e7f3d2a33b8e43ce3fde0bdd43344b1f18c5
Instruction Fuzzy Hash: 0901D831390214BBFB106769AC8EF563F59DB4AB11F101001F31DAE1E1CDF12455CE69

Function 0029AA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0027DC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 0027DCC1
Part of subcall function 0027DC9C: Process32FirstW.KERNEL32(00000000,?), ref: 0027DCCF
Part of subcall function 0027DC9C: CloseHandle.KERNEL32(00000000), ref: 0027DD9C

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029AACC
GetLastError.KERNEL32 ref: 0029AADF
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029AB12
TerminateProcess.KERNEL32(00000000,00000000), ref: 0029ABC7
GetLastError.KERNEL32(00000000), ref: 0029ABD2
CloseHandle.KERNEL32(00000000), ref: 0029AC23

Strings

SeDebugPrivilege, xrefs: 0029AAEE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d34c6e3c2f5ed60b536ecd5668797f187dd1719df226ae3e30b71260293117ef
Instruction ID: b753a6b92dd05e9d463f66b58e63c315034910311b69ab161c74b4db70ec3949
Opcode Fuzzy Hash: d34c6e3c2f5ed60b536ecd5668797f187dd1719df226ae3e30b71260293117ef
Instruction Fuzzy Hash: 7A618C30214342AFDB20DF18C498F16BBE5AF54318F14849CE46A4BBA2CB75ED95CBD2

Function 002A41E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A4284
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002A4299
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A42B3
_wcslen.LIBCMT ref: 002A42F8
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A4325
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A4353

Strings

SysListView32, xrefs: 002A4256

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b6287c4d1fcf766b28930a90c14a674dbb4c77c26ae36ee7bb449b432fdb3e89
Instruction ID: 37d555d90b6af0102b84e4a5e5562cd288bc5c1132cc6d7d40a6ff020c953d46
Opcode Fuzzy Hash: b6287c4d1fcf766b28930a90c14a674dbb4c77c26ae36ee7bb449b432fdb3e89
Instruction Fuzzy Hash: 3041CE71910309ABDB21EF64CC49FEA7BA9EF49350F100126F954E7291DBB0EDA4CB90

Function 0027C53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0027C5D9
IsMenu.USER32(00000000), ref: 0027C5F9
CreatePopupMenu.USER32 ref: 0027C62F
GetMenuItemCount.USER32(012B5CD8), ref: 0027C680
InsertMenuItemW.USER32(012B5CD8,?,00000001,00000030), ref: 0027C6A8

Strings

2, xrefs: 0027C613
0, xrefs: 0027C584

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5594c2f8f4fcbc80de2620d536e505970c2cfe0a24b060003b09e0233297eb70
Instruction ID: cf99364d4abebb3ad466cf9d306e6dd249ebc7259ace7d77d0090dfcda4aed28
Opcode Fuzzy Hash: 5594c2f8f4fcbc80de2620d536e505970c2cfe0a24b060003b09e0233297eb70
Instruction Fuzzy Hash: 4251D370911306ABDF24DF78D8C8BAEBBF9AF85314F34911DE409A7291D7709960CB21

Function 0027D034 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0027D0D3

Strings

stop, xrefs: 0027D0A4
question, xrefs: 0027D08C
warning, xrefs: 0027D0BC
info, xrefs: 0027D074
blank, xrefs: 0027D055

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: de62452370718eabad3af244b959f98309ba2f16499317b7eea0b94a962d6440
Instruction ID: bf47004c314612e4a00ca4237cf1936c192c06e72d221d217083ec1eb35f7593
Opcode Fuzzy Hash: de62452370718eabad3af244b959f98309ba2f16499317b7eea0b94a962d6440
Instruction Fuzzy Hash: 26110D7127C30BBAF7106F249C82DEA67FC9F16320F60406BF90866281EBB5AD214564

Function 0027E653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0027E66E
gethostname.WSOCK32(?,00000100), ref: 0027E688
gethostbyname.WSOCK32(?), ref: 0027E695
inet_ntoa.WSOCK32(?), ref: 0027E6D7
_strcat.LIBCMT ref: 0027E6E5
WSACleanup.WSOCK32 ref: 0027E70A

Strings

0.0.0.0, xrefs: 0027E6B3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 7adcb05a43a0ec6178cc4a49237982f9c81cefcabb205b9641bfd2c7f6b4f7de
Instruction ID: 41c237e89e4d6ad0c85f8889ce78dff653923342a902f48ac4edff2cd10784b8
Opcode Fuzzy Hash: 7adcb05a43a0ec6178cc4a49237982f9c81cefcabb205b9641bfd2c7f6b4f7de
Instruction Fuzzy Hash: F3110671924215AFDF287B30AC4EEDEB7BCDF49710F1140A6F54A92091EF709AA19A60

Function 0027F545 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0027F556
_wcslen.LIBCMT ref: 0027F567
_wcslen.LIBCMT ref: 0027F5A5
_wcslen.LIBCMT ref: 0027F5DB
_wcslen.LIBCMT ref: 0027F60B
_wcslen.LIBCMT ref: 0027F61B
_wcslen.LIBCMT ref: 0027F657
_wcslen.LIBCMT ref: 0027F686

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: d0ba6a08bf792b9e56ebf1705b2330ff1def3f466101a49cb576651adbc3943d
Instruction ID: 72a041ac93581fe1a2fc47e0e35acb1be09fec65d34820d4c81b5d03516bbd88
Opcode Fuzzy Hash: d0ba6a08bf792b9e56ebf1705b2330ff1def3f466101a49cb576651adbc3943d
Instruction Fuzzy Hash: F44188A5C2121475CB11EBF8984BECFB76CAF05310F508966E528E3131FA34D275CBA5

Function 0022FBD4 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002539BC,00000004,00000000,00000000), ref: 0022FC4F
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,002539BC,00000004,00000000,00000000), ref: 0026FBB5
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,002539BC,00000004,00000000,00000000), ref: 0026FC38

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 92a1d44bc9f1f48a5921fcf52d6fb2916e3f20f906540952b7b678c53570abc9
Instruction ID: 1e3f3d518d0f37eb71a5d302b05d688dab092d519a4908f35182f6354b37a900
Opcode Fuzzy Hash: 92a1d44bc9f1f48a5921fcf52d6fb2916e3f20f906540952b7b678c53570abc9
Instruction Fuzzy Hash: 0F412D30538699BACBB5CF68FBDC7267BB5AB8A300F14443EE84746960C67198A0C710

Function 002A3662 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A367A
GetDC.USER32(00000000), ref: 002A3682
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A368D
ReleaseDC.USER32(00000000,00000000), ref: 002A3699
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002A36D5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A36E6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002A63C4,?,?,000000FF,00000000,?,000000FF,?), ref: 002A3721
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A3740

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7f15292ccab9b67a0d7375e93418da4dd25ffb63f0483a2725af526116b07db1
Instruction ID: 61c92f4f5788f803b594fb882ebb1510b98b0f9fb4d4f4b2a5819ac7413921bc
Opcode Fuzzy Hash: 7f15292ccab9b67a0d7375e93418da4dd25ffb63f0483a2725af526116b07db1
Instruction Fuzzy Hash: D531B1B2211214BFEB118F10DC89FEB7FADEF0A751F044055FE099A291CA759C51CBA4

Function 00275EB1 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00275EC6
_memcmp.LIBVCRUNTIME ref: 00275EE8
_memcmp.LIBVCRUNTIME ref: 00275F00
_memcmp.LIBVCRUNTIME ref: 00275F13
_memcmp.LIBVCRUNTIME ref: 00275F2D
_memcmp.LIBVCRUNTIME ref: 00275F40
_memcmp.LIBVCRUNTIME ref: 00275F58
_memcmp.LIBVCRUNTIME ref: 00275F73

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 20352c76c06209eaf76f481fadc2ae38f1aad59fd163b84f7d2bac37b1c0780c
Instruction ID: 6019ba4b4f34112273f02b41261589bd1a41455861c300e9be0c3e509f8ece4e
Opcode Fuzzy Hash: 20352c76c06209eaf76f481fadc2ae38f1aad59fd163b84f7d2bac37b1c0780c
Instruction Fuzzy Hash: 4421DAB1630A267BD30959125D82FAFF39CAE123D8F188011FD0E9A541F7F0DE3285A2

Function 0029590B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0029598B, 00295CE0
Not an Object type, xrefs: 00295964

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2ca5aa73ed945226bea1938147386bb967d1f424c44d6c3c6c3e3ac1e2a5ab89
Instruction ID: 284c1c28ebc33005ce708d1febcf31333c40b9fe825039e4e4c07bf3f0f4e066
Opcode Fuzzy Hash: 2ca5aa73ed945226bea1938147386bb967d1f424c44d6c3c6c3e3ac1e2a5ab89
Instruction Fuzzy Hash: 25D1BF71B1071AAFDF11CFA8C890BAEB7B5BF48304F14816AE915AB280E770ED55CB50

Function 002518C2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00251B9B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0025196E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00251B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 002519F1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00251B9B,?,00251B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00251A84
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00251B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00251A9B

Part of subcall function 00243BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00236A99,?,0000015D,?,?,?,?,002385D0,000000FF,00000000,?,?), ref: 00243BE2

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00251B9B,00000000,00000000,?,00000000,?,?,?,?), ref: 00251B17
__freea.LIBCMT ref: 00251B42
__freea.LIBCMT ref: 00251B4E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6151613c0f248d99df87c77c2df8f32f958573711ec332cdfef369667d177658
Instruction ID: 71b34e34e54dc8b67b8f9226fa121e4ccd8e6b91b4c68a5a49fb4fd3f0f203fe
Opcode Fuzzy Hash: 6151613c0f248d99df87c77c2df8f32f958573711ec332cdfef369667d177658
Instruction Fuzzy Hash: C291D372E202179ADF248E64C891FEEBBB5AF09315F144159EC05E7240EB35DC78CB68

Function 00294E80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00294FA5
VariantInit.OLEAUT32(?), ref: 002950A6
VariantClear.OLEAUT32(?), ref: 002950B0
VariantClear.OLEAUT32(?), ref: 0029510D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00294F35, 00295063, 0029511B
Incorrect Object type in FOR..IN loop, xrefs: 00295089

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: dcb9f60428dba7a5aeace081a5eaee829f00558d02b68f8476a476d6f76129fc
Instruction ID: 08a3827bfd3586b6f5cae57b4516a161dae6cd390f26068f9bbac8aac2d367a4
Opcode Fuzzy Hash: dcb9f60428dba7a5aeace081a5eaee829f00558d02b68f8476a476d6f76129fc
Instruction Fuzzy Hash: 5491B571A2022AAFDF21CFA4CC44FAEBBB8EF45314F108159F505AB280D7709955CFA0

Function 00281A5B Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00281B30
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281B58
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00281B7C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281BAC
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281C33
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281C98
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00281D04

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 775f3b40947f1151797063976d8949724a8a4a3333ebb3294ccd6fead8be0bdf
Instruction ID: 79c2e3028bb7a3058ee36e90592078cae20f34cbea177ac5e9b3de51e7752bf7
Opcode Fuzzy Hash: 775f3b40947f1151797063976d8949724a8a4a3333ebb3294ccd6fead8be0bdf
Instruction Fuzzy Hash: E291D0B99212199FDB00AF98D884BBEB7B8FF05715F10401AE901A72D1E774A972CF91

Function 00211D2A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cef54f5b04d8d86abcc2daed9499851b4d394d369596bc04e6603c8ff2690509
Instruction ID: 5597e55b39632b9ab4f1b114d4fe15916fa19c6be775d9f3798497020a02fc4a
Opcode Fuzzy Hash: cef54f5b04d8d86abcc2daed9499851b4d394d369596bc04e6603c8ff2690509
Instruction Fuzzy Hash: AF912B71D1021AAFCB10CFA9DC88AEEBBB9FF49320F144155E911B7251D77499A1CFA0

Function 002942A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002942C8
CharUpperBuffW.USER32(?,?), ref: 002943D7
_wcslen.LIBCMT ref: 002943E7
VariantClear.OLEAUT32(?), ref: 0029457C

Part of subcall function 002815B3: VariantInit.OLEAUT32(00000000), ref: 002815F3
Part of subcall function 002815B3: VariantCopy.OLEAUT32(?,?), ref: 002815FC
Part of subcall function 002815B3: VariantClear.OLEAUT32(?), ref: 00281608

Strings

AUTOIT.ERROR, xrefs: 002943DD, 002943E2
Incorrect Parameter format, xrefs: 00294303, 002944FE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f9f60db64da6dd261d23b71b4e9ee293bf7436ed012e8ac090e213436fa25bb1
Instruction ID: 719fc5192fca45f5580be9e7dab38b4ca07fd663cac40ce81f3a4ee613efc992
Opcode Fuzzy Hash: f9f60db64da6dd261d23b71b4e9ee293bf7436ed012e8ac090e213436fa25bb1
Instruction Fuzzy Hash: BE9148746283019FCB04EF64C48196AB7E5BF88714F14896DF88A97351DB30ED56CF92

Function 0029550A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0027089E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?,?,00270BEE), ref: 002708BB
Part of subcall function 0027089E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?), ref: 002708D6
Part of subcall function 0027089E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?), ref: 002708E4
Part of subcall function 0027089E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?), ref: 002708F4

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 002955AE
_wcslen.LIBCMT ref: 002956B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0029572C
CoTaskMemFree.OLE32(?), ref: 00295737

Strings

NULL Pointer assignment, xrefs: 00295780, 002957AF

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d438f25b48c26e063a885c585d86a7a2b94dd8ce3a6b11a8aa8f82ea246e4201
Instruction ID: 73abb16ecc3e6b9f860441a14625339ee03ce14b494702c23a001d7e48763f52
Opcode Fuzzy Hash: d438f25b48c26e063a885c585d86a7a2b94dd8ce3a6b11a8aa8f82ea246e4201
Instruction Fuzzy Hash: 1E912771D1022DEFDF11DFA4DC80AEEB7B9AF08304F10416AE915A7251DB709A64CFA0

Function 002A2A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A2AE2
GetMenuItemCount.USER32(00000000), ref: 002A2B14
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A2B3C
_wcslen.LIBCMT ref: 002A2B72
GetMenuItemID.USER32(?,?), ref: 002A2BAC
GetSubMenu.USER32(?,?), ref: 002A2BBA

Part of subcall function 002742CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 002742E6
Part of subcall function 002742CC: GetCurrentThreadId.KERNEL32 ref: 002742ED
Part of subcall function 002742CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00272E43), ref: 002742F4

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002A2C42

Part of subcall function 0027F1A7: Sleep.KERNEL32 ref: 0027F21F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 53b621843511b894f02061026ab83cc13af0d9139e06cc1a574321cc1cd8c147
Instruction ID: b4cfbf5b0bc7144a3d618ee3ced026a84c02561ae66b379f164e61b63f927b1e
Opcode Fuzzy Hash: 53b621843511b894f02061026ab83cc13af0d9139e06cc1a574321cc1cd8c147
Instruction Fuzzy Hash: FE71B275A10205EFCB10EF68C885AAEB7F5EF49320F118459E81AEB351DB74ED518FA0

Function 002A87FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002A8896
IsWindowEnabled.USER32(00000000), ref: 002A88A2
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002A897D
SendMessageW.USER32(00000000,000000B0,?,?), ref: 002A89B0
IsDlgButtonChecked.USER32(?,00000000), ref: 002A89E8
GetWindowLongW.USER32(00000000,000000EC), ref: 002A8A0A
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002A8A22

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2fdca5d88c76ab9a5e6c10b7dc782a539c0893be3eab287f2a85e8668c2bf6bf
Instruction ID: edc6276ba4626600b239d332cf68eb45ae3f946e35a13ee37673f1e819c54f69
Opcode Fuzzy Hash: 2fdca5d88c76ab9a5e6c10b7dc782a539c0893be3eab287f2a85e8668c2bf6bf
Instruction Fuzzy Hash: AA71CF34A1020AEFEF259F54C894FBABBB9EF0B300F144459E95657362CF31A964CB11

Function 0027B796 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0027B7D5
GetKeyboardState.USER32(?), ref: 0027B7EA
SetKeyboardState.USER32(?), ref: 0027B84B
PostMessageW.USER32(?,00000101,00000010,?), ref: 0027B879
PostMessageW.USER32(?,00000101,00000011,?), ref: 0027B898
PostMessageW.USER32(?,00000101,00000012,?), ref: 0027B8D9
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0027B8FC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 54c556a964c4cff1e39507573e369903f1eeee990a44ce52b3321157a7c429c3
Instruction ID: 2ba8ee0d86f9ae358d8c89ef7fd453178981a704f6898b82ccf7d62c496a706a
Opcode Fuzzy Hash: 54c556a964c4cff1e39507573e369903f1eeee990a44ce52b3321157a7c429c3
Instruction Fuzzy Hash: F051B4A0A247D67DFB374A348C45BB6BE996F06304F08C489E2DD458D2C7B8ACA4DB51

Function 0027B5B6 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0027B5F5
GetKeyboardState.USER32(?), ref: 0027B60A
SetKeyboardState.USER32(?), ref: 0027B66B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0027B697
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0027B6B4
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0027B6F3
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0027B714

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: be6c52b0b4c50f1b6546fc4e45f05834b83b4c5816ca53f9596ea59132386e33
Instruction ID: b3d7061cd1191a083663e21f4db29a0b6c44d2019c8fdec3c457f7c392c668dd
Opcode Fuzzy Hash: be6c52b0b4c50f1b6546fc4e45f05834b83b4c5816ca53f9596ea59132386e33
Instruction Fuzzy Hash: CB51E6A15246D63DFB374B348C45B7ABF986B46304F08C489E1DD4A8C2D7B4ACA8D750

Function 002457BE Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00245F33,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00245800
__fassign.LIBCMT ref: 0024587B
__fassign.LIBCMT ref: 00245896
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 002458BC
WriteFile.KERNEL32(?,FF8BC35D,00000000,00245F33,00000000,?,?,?,?,?,?,?,?,?,00245F33,?), ref: 002458DB
WriteFile.KERNEL32(?,?,00000001,00245F33,00000000,?,?,?,?,?,?,?,?,?,00245F33,?), ref: 00245914

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6bbabb00416c929934def1e017e9c10f01cfbca5751d5f958d89954d9739484b
Instruction ID: 9bd9cf27297a431bce3d9ca747fe19c2521d97768feae3cdf0b82a84c3b39041
Opcode Fuzzy Hash: 6bbabb00416c929934def1e017e9c10f01cfbca5751d5f958d89954d9739484b
Instruction Fuzzy Hash: 21510871A1024ADFCB14CFA4D885BEEBBF8EF09310F14405AE595E7292D7319960CFA0

Function 002330B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002330DB
___except_validate_context_record.LIBVCRUNTIME ref: 002330E3
_ValidateLocalCookies.LIBCMT ref: 00233171
__IsNonwritableInCurrentImage.LIBCMT ref: 0023319C
_ValidateLocalCookies.LIBCMT ref: 002331F1

Strings

csm, xrefs: 00233186

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 27fbcec28205fbaf9dddc136e7d91c6f1b3100d73eb88505a0b74d305dbfe100
Instruction ID: 0b42b8daad1da11b076a5b9c956e08c358ee2fb8e7396d332ea9daefacd7d7bc
Opcode Fuzzy Hash: 27fbcec28205fbaf9dddc136e7d91c6f1b3100d73eb88505a0b74d305dbfe100
Instruction Fuzzy Hash: 604117B0E20209ABCF10DF68CC44A9EBBB4AF44324F148155E858AB392D735DF25CF90

Function 00291A15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002939AB: inet_addr.WSOCK32(?), ref: 002939D7
Part of subcall function 002939AB: _wcslen.LIBCMT ref: 002939F8

socket.WSOCK32(00000002,00000001,00000006), ref: 00291A6F
WSAGetLastError.WSOCK32 ref: 00291A7E
WSAGetLastError.WSOCK32 ref: 00291B26
closesocket.WSOCK32(00000000), ref: 00291B56

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 85c587a5892e9914ab38d3a620e6e9ad1d072a9a2c48ee195dd13ed052813ab2
Instruction ID: 54f40b108ec44098dea9ffe27b0b1ab636b8f2da4f9772b1882ad787c0b6a206
Opcode Fuzzy Hash: 85c587a5892e9914ab38d3a620e6e9ad1d072a9a2c48ee195dd13ed052813ab2
Instruction Fuzzy Hash: 4341F631210105AFDF109F65C844BA9B7E9EF45324F148059FC169B291DB74EDA1CFE1

Function 0027D6C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027E60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027D6E2,?), ref: 0027E629

Part of subcall function 0027E60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027D6E2,?), ref: 0027E642

lstrcmpiW.KERNEL32(?,?), ref: 0027D705
MoveFileW.KERNEL32(?,?), ref: 0027D73F
_wcslen.LIBCMT ref: 0027D7C5
_wcslen.LIBCMT ref: 0027D7DB
SHFileOperationW.SHELL32(?), ref: 0027D821

Strings

\*.*, xrefs: 0027D7B3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0f2bd921af05ce8f2ba587ac48d9a8441dd197a5e077876433053a6620e385bb
Instruction ID: 26f403d98de4dbebc28542cca540d420297ef432834725f7a829b84eff862633
Opcode Fuzzy Hash: 0f2bd921af05ce8f2ba587ac48d9a8441dd197a5e077876433053a6620e385bb
Instruction Fuzzy Hash: E44183718152199FDF16EFA4D981FDEB3B8AF09380F0040E6A509EB141EA34AB98CF50

Function 002A375C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002A377B
GetWindowLongW.USER32(?,000000F0), ref: 002A37AE
GetWindowLongW.USER32(?,000000F0), ref: 002A37E3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002A3815
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002A383F
GetWindowLongW.USER32(?,000000F0), ref: 002A3850
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A386A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d15dc65d35c38d5d4fb376fd441c101fcc5d59c8c6e847ce5c7d8f21182c4e46
Instruction ID: 1bd6cbcccc0ac7f8fae8f2aeda4cc732c2b2a985db9668fb2391ea6e145ae387
Opcode Fuzzy Hash: d15dc65d35c38d5d4fb376fd441c101fcc5d59c8c6e847ce5c7d8f21182c4e46
Instruction Fuzzy Hash: 8E3110B5654241EFEB25CF08EC88F6577E5EB8A710F241164F5168B2A2CF70A9508B40

Function 0027808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002780D1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002780F7
SysAllocString.OLEAUT32(00000000), ref: 002780FA
SysAllocString.OLEAUT32 ref: 0027811B
SysFreeString.OLEAUT32 ref: 00278124
StringFromGUID2.OLE32(?,?,00000028), ref: 0027813E
SysAllocString.OLEAUT32(?), ref: 0027814C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7dd36c8b88682d6f27652bcd33d481b2c5d875a8743329433812e4f72bbb8eb6
Instruction ID: a7b092b919fc9c936c3930b2d08b10bc385e9445016450d6dd2e720748d25b08
Opcode Fuzzy Hash: 7dd36c8b88682d6f27652bcd33d481b2c5d875a8743329433812e4f72bbb8eb6
Instruction Fuzzy Hash: 41218375650215AFDB109FA8DC8CDAA77ECEB49360750C125F90DCB2A0DE70EC56CB64

Function 00280D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00280DAE
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00280DEA

Strings

nul, xrefs: 00280E23

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9888693686b869d9272806f51b88240b7c116ccd1d26751dc43e45463bf8f9b8
Instruction ID: 7e79dd817267b507098616254c1d0bb029e61dda1f3616fed8aa892bbef7cbcf
Opcode Fuzzy Hash: 9888693686b869d9272806f51b88240b7c116ccd1d26751dc43e45463bf8f9b8
Instruction Fuzzy Hash: 18215E78511306AFDB60AF65D884A9ABBA4EF45720F204E19E9A1D72D0D7709864CB50

Function 00280E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00280E82
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00280EBD

Strings

nul, xrefs: 00280EF5

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 24784d16e93b28496a5b5862a5916e2193e082754fb4bc2217d15f07657a1ee5
Instruction ID: 2be51ec0eea63bfeec4beed3f1a9f6e58c5426da7fa5aab03702883e986aa9ce
Opcode Fuzzy Hash: 24784d16e93b28496a5b5862a5916e2193e082754fb4bc2217d15f07657a1ee5
Instruction Fuzzy Hash: CC2197795113069BDB70AF28DC84A9A77E4EF59724F204A19FDA1D32D0DB709864CB50

Function 002A4A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00217759
Part of subcall function 0021771B: GetStockObject.GDI32(00000011), ref: 0021776D
Part of subcall function 0021771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00217777

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002A4A71
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002A4A7E
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002A4A89
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002A4A98
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002A4AA4

Strings

Msctls_Progress32, xrefs: 002A4A42

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 70b1edb46c199faf66cae3b7f8acb9de83145e84eb23b005ec4ce019f6594844
Instruction ID: 9b5aa054844a85bab57d485d8af23274d11ad6b84cd42cf3faebf4e6b45c4739
Opcode Fuzzy Hash: 70b1edb46c199faf66cae3b7f8acb9de83145e84eb23b005ec4ce019f6594844
Instruction Fuzzy Hash: 2311B2B215021EBFEF119F64CC85EE77FADEF09758F008111BB18A6090CA72DC219BA4

Function 0024DB7F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024DB43: _free.LIBCMT ref: 0024DB6C

_free.LIBCMT ref: 0024DBCD

Part of subcall function 00242D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4), ref: 00242D6E
Part of subcall function 00242D58: GetLastError.KERNEL32(002E1DC4,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4,002E1DC4), ref: 00242D80

_free.LIBCMT ref: 0024DBD8
_free.LIBCMT ref: 0024DBE3
_free.LIBCMT ref: 0024DC37
_free.LIBCMT ref: 0024DC42
_free.LIBCMT ref: 0024DC4D
_free.LIBCMT ref: 0024DC58

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 011c9fcdfffbb28754d841d640f2f16bc0c3355fe7143b555e7362462a8649b7
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: A6118471990744E6DE24FB70CC07FCBB7DC9F50700F450C25B299A6162D674B6A94E50

Function 0027E223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0027E23D
LoadStringW.USER32(00000000), ref: 0027E244
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0027E25A
LoadStringW.USER32(00000000), ref: 0027E261
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0027E2A5

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0027E282

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 9f15db49e6e2b8d9c53eaf8b438810d12a4348a080a4bc8087153073221ab200
Instruction ID: 847d72b51d246d8f3ccb5e739d72e3f5027d2355fd181204e65c203b56b9a824
Opcode Fuzzy Hash: 9f15db49e6e2b8d9c53eaf8b438810d12a4348a080a4bc8087153073221ab200
Instruction Fuzzy Hash: 6C0186F29102087FE7119B94ED8DEE7776CDB09700F414592BB4BE2041EA749E848B74

Function 00281227 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00281237
EnterCriticalSection.KERNEL32(00000000,?), ref: 00281249
TerminateThread.KERNEL32(00000000,000001F6), ref: 00281257
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00281265
CloseHandle.KERNEL32(00000000), ref: 00281274
InterlockedExchange.KERNEL32(?,000001F6), ref: 00281284
LeaveCriticalSection.KERNEL32(00000000), ref: 0028128B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 15d2a29be355e280c2458d53af1f2ec0ef07d741cfa62b6db0848b1a0acd0bac
Instruction ID: b5a589ca56cb91848be42bf4843d27a1945f57ff92cea77f9a27d924e7ea4d20
Opcode Fuzzy Hash: 15d2a29be355e280c2458d53af1f2ec0ef07d741cfa62b6db0848b1a0acd0bac
Instruction Fuzzy Hash: BEF0F632042A12ABD7511F64EE4CBD6BB39FF02302F402025E50291CA4CB749876CF90

Function 002925BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 0029271D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0029273E
WSAGetLastError.WSOCK32 ref: 0029274F
htons.WSOCK32(?), ref: 00292838
inet_ntoa.WSOCK32(?), ref: 002927E9

Part of subcall function 00274277: _strlen.LIBCMT ref: 00274281

Part of subcall function 00293B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0028F569), ref: 00293B9D

_strlen.LIBCMT ref: 00292892

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c7183819e5fad31d9c51d46576822de7ac3b94643e1317df46579955cd99d9aa
Instruction ID: 1b6d4e46a1a912615b55fb5b24dde9fe82d261421aa796b07ff7c61891215b2f
Opcode Fuzzy Hash: c7183819e5fad31d9c51d46576822de7ac3b94643e1317df46579955cd99d9aa
Instruction Fuzzy Hash: F7B11235210301EFD724DF24C885F6A77E9AF94318F54854CF49A4B2A2CB31ED9ACB91

Function 00217417 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0021743D
GetWindowRect.USER32(?,?), ref: 0021747E
ScreenToClient.USER32(?,?), ref: 002174A6
GetClientRect.USER32(?,?), ref: 002175E4
GetWindowRect.USER32(?,?), ref: 00217605

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dd6e0452e6f4c46ae4ba379a07f51a03c541361de5994a5a8c5f2d16172fac75
Instruction ID: dccc7c4dcbf9080f143f1e28d48b4450a96f76270388d6a678c7b24dd4ddcb41
Opcode Fuzzy Hash: dd6e0452e6f4c46ae4ba379a07f51a03c541361de5994a5a8c5f2d16172fac75
Instruction Fuzzy Hash: 4CB17934A2464ADBDB10CFB9C4447EAB7F2FF94310F54851AECAAD3250DB30A9A4DB54

Function 00240547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0024044A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00240466
__allrem.LIBCMT ref: 0024047D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0024049B
__allrem.LIBCMT ref: 002404B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002404D0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
Instruction ID: 7e6f0b61a495e7b85527d0aca208098ddc96a66e6035b2343f2e6aa3d919d6b9
Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
Instruction Fuzzy Hash: D581DA72A207069BD728AE79CCC1B6A77E8EF44324F24412EF711D7681E7B0D9A48F54

Function 0024658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00238669,00238669,?,?,?,002467DF,00000001,00000001,8BE85006), ref: 002465E8
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002467DF,00000001,00000001,8BE85006,?,?,?), ref: 0024666E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00246768
__freea.LIBCMT ref: 00246775

Part of subcall function 00243BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00236A99,?,0000015D,?,?,?,?,002385D0,000000FF,00000000,?,?), ref: 00243BE2

__freea.LIBCMT ref: 0024677E
__freea.LIBCMT ref: 002467A3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4362793834f98d6ecd647feb96f0f326fc8806a20a94ca6b774f3e53095f07fc
Instruction ID: b40aa2fc500473f54dbd3cf1eedff415a4cc6f103f4261c30acef7177613d360
Opcode Fuzzy Hash: 4362793834f98d6ecd647feb96f0f326fc8806a20a94ca6b774f3e53095f07fc
Instruction Fuzzy Hash: A2512672620617AFDB288F24CC89EBFB7A9EF42754F154229FC05D6140EB74EC60CA51

Function 0029C53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 0029D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029C00D,?,?), ref: 0029D314
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D350
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D3C7
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029C629
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029C684
RegCloseKey.ADVAPI32(00000000), ref: 0029C6C9
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0029C6F8
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0029C752
RegCloseKey.ADVAPI32(?), ref: 0029C75E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c697af703e136925bd5cc76f82ba5842187d139ee600ae2f1761f23f51f93bb1
Instruction ID: b8c8f2933d8ee9eab4a45002050aeaecd835a232bac7f5c4bf2e30ade599a761
Opcode Fuzzy Hash: c697af703e136925bd5cc76f82ba5842187d139ee600ae2f1761f23f51f93bb1
Instruction Fuzzy Hash: 3A818E71128241AFDB14DF24C884E6ABBF9BF84308F14855CF4598B2A2DB31ED55CF92

Function 0027003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00270049
SysAllocString.OLEAUT32(00000000), ref: 002700F0
VariantCopy.OLEAUT32(002702F4,00000000), ref: 00270119
VariantClear.OLEAUT32(002702F4), ref: 0027013D
VariantCopy.OLEAUT32(002702F4,00000000), ref: 00270141
VariantClear.OLEAUT32(?), ref: 0027014B

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ccb3b245491bde2f659bad9b09a00c2eeefb6ae34851a3b44a14c855ffc2afc1
Instruction ID: 5aa21e4377c20138aa251949009b178c34c892b5328e0e0bf62b6b0e85b038d4
Opcode Fuzzy Hash: ccb3b245491bde2f659bad9b09a00c2eeefb6ae34851a3b44a14c855ffc2afc1
Instruction Fuzzy Hash: 7D51D435670310EBCF20AF64D8D9A29B3A4AF15310F24D046ED0ADF296DAB09C68CB91

Function 00289A66 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00214154: _wcslen.LIBCMT ref: 00214159

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

GetOpenFileNameW.COMDLG32(00000058), ref: 00289E3F
_wcslen.LIBCMT ref: 00289E60
_wcslen.LIBCMT ref: 00289E87
GetSaveFileNameW.COMDLG32(00000058), ref: 00289EDF

Strings

X, xrefs: 00289D6C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f98888dc3ba950375daecde51de7fcf88094ff97b84f0ff03007c9a087c3c2b1
Instruction ID: c484328c249cd5f31e75b1e31d7c149525ef883367e553268b8009574e270eb5
Opcode Fuzzy Hash: f98888dc3ba950375daecde51de7fcf88094ff97b84f0ff03007c9a087c3c2b1
Instruction Fuzzy Hash: E6E1D3755243418FC724EF24C881BAAB7E5BF94304F08856DF8898B2A2DB31DD95CF92

Function 00211AAC Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

BeginPaint.USER32(?,?,?), ref: 00211AE1
GetWindowRect.USER32(?,?), ref: 00211B45
ScreenToClient.USER32(?,?), ref: 00211B62
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00211B73
EndPaint.USER32(?,?,?,?,?), ref: 00211BC1
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0025324B

Part of subcall function 00211BD9: BeginPath.GDI32(00000000), ref: 00211BF7

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: efed7dcb87f2d6fc0b3a3049b4f03129e729761d6ed0f40b9e8a5ecbc26d73f2
Instruction ID: 9a70957c3134da767e30f213fbf4cc9d8d0b93ed2f9b390cc686166036b1960d
Opcode Fuzzy Hash: efed7dcb87f2d6fc0b3a3049b4f03129e729761d6ed0f40b9e8a5ecbc26d73f2
Instruction Fuzzy Hash: BD41E2301143019FD710DF24EC88FB67BE8EB56324F100269FA66CA1A2D77199A9DB61

Function 002810AB Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002810C8
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00281103
EnterCriticalSection.KERNEL32(?), ref: 0028111F
LeaveCriticalSection.KERNEL32(?), ref: 00281198
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002811AF
InterlockedExchange.KERNEL32(?,000001F6), ref: 002811DD

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 52d427b0db050ef1287db9a39fb1d7f7f99fa7cde12c59ebc048b35ed7297b45
Instruction ID: e897dd262406e092d47a2b4d210b03359ba66804224ac8be12f5e4ca43a44990
Opcode Fuzzy Hash: 52d427b0db050ef1287db9a39fb1d7f7f99fa7cde12c59ebc048b35ed7297b45
Instruction Fuzzy Hash: F3414E75910205EBDF04AF54DCC9AAAB778FF44310F1480A5FE089A296DB70DE65DFA0

Function 002A8B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0026FB8F,00000000,?,?,00000000,?,002539BC,00000004,00000000,00000000), ref: 002A8BAB
EnableWindow.USER32(?,00000000), ref: 002A8BD1
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002A8C30
ShowWindow.USER32(?,00000004), ref: 002A8C44
EnableWindow.USER32(?,00000001), ref: 002A8C6A
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002A8C8E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3682e084232caa1032659631622c0102502d65c8b71398cca6b25fcefaead07b
Instruction ID: a41bde51ec86eb15561d35150d651936fcff919fa522f5a2ab86a0d9cfc0d9ef
Opcode Fuzzy Hash: 3682e084232caa1032659631622c0102502d65c8b71398cca6b25fcefaead07b
Instruction Fuzzy Hash: E741C774611245FFDB19CF14E889BA17BE5FB07318F185169E6098F2A2CF31A865CF60

Function 00292C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00292C45

Part of subcall function 0028EE49: GetWindowRect.USER32(?,?), ref: 0028EE61

GetDesktopWindow.USER32 ref: 00292C6F
GetWindowRect.USER32(00000000), ref: 00292C76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00292CB2
GetCursorPos.USER32(?), ref: 00292CDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00292D3C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 179fe52e32c5cc0ee1705fa55e4cab6a6c8aa562c1b967427d34f35c10114222
Instruction ID: 4672150d6e4d477b58ab04ec169ef58c0c327724b6fab82165175114b56b2623
Opcode Fuzzy Hash: 179fe52e32c5cc0ee1705fa55e4cab6a6c8aa562c1b967427d34f35c10114222
Instruction Fuzzy Hash: BC31F072515316ABDB20DF14D848B9EB7A9FF84314F00091AF489A7190CB30E918CBA2

Function 0027550C Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00275524
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00275541
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00275579
_wcslen.LIBCMT ref: 00275597
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0027559F
_wcsstr.LIBVCRUNTIME ref: 002755A9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 4cbd9e5db800b8fe2f5001f17fe1a8619c06b36b552c5b98e31757ecd8708383
Instruction ID: 296c9453c4e8a4a861a09bf9f86564bbbbaa538ff3b95c922e89daf30e23baff
Opcode Fuzzy Hash: 4cbd9e5db800b8fe2f5001f17fe1a8619c06b36b552c5b98e31757ecd8708383
Instruction Fuzzy Hash: A12129B22246117BEB155F29AC49E7BBBADDF45710F508029F80DC9091EFB4DC5097A0

Function 00286178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 0021557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00215558,?,?,00254B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0021559E

_wcslen.LIBCMT ref: 002861D5
CoInitialize.OLE32(00000000), ref: 002862EF
CoCreateInstance.OLE32(002B0CC4,00000000,00000001,002B0B34,?), ref: 00286308
CoUninitialize.OLE32 ref: 00286326

Strings

.lnk, xrefs: 002861D0, 0028621B, 002862DF

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f023eac0a92362926cf82c4a6b3d8cb575d3dafabe52405c61ec8a703c2e78c2
Instruction ID: a271f4d02f822c822a99900b103c7ede0e445a228c609b43f4c83635219cfb37
Opcode Fuzzy Hash: f023eac0a92362926cf82c4a6b3d8cb575d3dafabe52405c61ec8a703c2e78c2
Instruction Fuzzy Hash: CBD164786142119FC714EF14C488A6ABBF2FF99714F148899F8869B3A1CB31EC55CF92

Function 00271D5E Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00271D8F
OpenProcessToken.ADVAPI32(00000000), ref: 00271D96
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00271DA5
CloseHandle.KERNEL32(00000004), ref: 00271DB0
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00271DDF
DestroyEnvironmentBlock.USERENV(00000000), ref: 00271DF3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d9b7f2a0530f482328b36b239d213b8fe9bcce7fe9f31f62b7b6b136396c1ebb
Instruction ID: 5cfd2a0e63d2e692e831b670fa76ede18ce7731c77521cbd1f5833fab26254e2
Opcode Fuzzy Hash: d9b7f2a0530f482328b36b239d213b8fe9bcce7fe9f31f62b7b6b136396c1ebb
Instruction Fuzzy Hash: 72113A7650020EABDF218FA8ED49FDE7BA9EF49344F048054FA09A2060D7758E65DB60

Function 00233712 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00233709,00233375), ref: 00233720
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0023372E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00233747
SetLastError.KERNEL32(00000000,?,00233709,00233375), ref: 00233799

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8292dd4fabe329d0dc7126bd9dfe7925766cec0085041a79f3f488f674e47836
Instruction ID: 7524317758e2df66076afda8372e9728fe510442dc161a59715b83b10ab009c4
Opcode Fuzzy Hash: 8292dd4fabe329d0dc7126bd9dfe7925766cec0085041a79f3f488f674e47836
Instruction Fuzzy Hash: CA0147F3A7A7126EAA24AB757CCD7366F94DB49772F20432AF410451F0EF214F229940

Function 00243104 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00234D73,00000000,?,?,00236902,?,?,00000000), ref: 00243108
_free.LIBCMT ref: 0024313B
_free.LIBCMT ref: 00243163
SetLastError.KERNEL32(00000000,?,00000000), ref: 00243170
SetLastError.KERNEL32(00000000,?,00000000), ref: 0024317C
_abort.LIBCMT ref: 00243182

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 960be922bdab79ef4384377cebf142f94fe2bc2363e50393e60c980e80d151d0
Instruction ID: 32486a0e06b22a17cfb74c635bb27ad1374b7aac8e149897c108c015006423dc
Opcode Fuzzy Hash: 960be922bdab79ef4384377cebf142f94fe2bc2363e50393e60c980e80d151d0
Instruction Fuzzy Hash: 96F02832974902A7C71EB735BC0EE1E22699FC9770F650825F42DD21D1EF608E364921

Function 002A9383 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00211ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00211F33
Part of subcall function 00211ED9: SelectObject.GDI32(?,00000000), ref: 00211F42
Part of subcall function 00211ED9: BeginPath.GDI32(?), ref: 00211F59
Part of subcall function 00211ED9: SelectObject.GDI32(?,00000000), ref: 00211F82

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002A93AD
LineTo.GDI32(?,00000003,00000000), ref: 002A93C1
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002A93CF
LineTo.GDI32(?,00000000,00000003), ref: 002A93DF
EndPath.GDI32(?), ref: 002A93EF
StrokePath.GDI32(?), ref: 002A93FF

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 376595d5f236f91fdff2df9270a02bf3d01a1d5c6047db98e2f6a44bfb7c6794
Instruction ID: 7565399976de35f9720c42416a7a3b5d1e679302e0831e0a6455e7907513c6bc
Opcode Fuzzy Hash: 376595d5f236f91fdff2df9270a02bf3d01a1d5c6047db98e2f6a44bfb7c6794
Instruction Fuzzy Hash: 91111B7200014DFFDF029F91EC8CE9A7FADEB09350F008011BA0A5A1A1DB71AD66DFA0

Function 00275A8C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00275AA7
GetDeviceCaps.GDI32(00000000,00000058), ref: 00275AB8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00275ABF
ReleaseDC.USER32(00000000,00000000), ref: 00275AC7
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00275ADE
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00275AF0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: dd2cef1218de709a86b5b753a4769fd61f86274af6d6adbb68f298dc5b5d339d
Instruction ID: b80174ff5361a1a0a327b65c2cdfbdf763c4735a7d81a60a300770bcbcc731da
Opcode Fuzzy Hash: dd2cef1218de709a86b5b753a4769fd61f86274af6d6adbb68f298dc5b5d339d
Instruction Fuzzy Hash: AD014475E00715BBEB109FA5AC49B8EBF78EB49751F008065FA09A7280DA70D811CF50

Function 00213205 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00213236
MapVirtualKeyW.USER32(00000010,00000000), ref: 0021323E
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00213249
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00213254
MapVirtualKeyW.USER32(00000011,00000000), ref: 0021325C
MapVirtualKeyW.USER32(00000012,00000000), ref: 00213264

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 93385147eb335cd39be762f1bb294200db67c22051d9a827790dfea468ed5d26
Instruction ID: c7331787ce881060b6751ffb6d19da4878ab9fc84c5303090da5ad402f1f8070
Opcode Fuzzy Hash: 93385147eb335cd39be762f1bb294200db67c22051d9a827790dfea468ed5d26
Instruction Fuzzy Hash: 400167B0902B5ABDE3008F6A8C85B52FFA8FF19754F00411BA15C4BA42C7F5A864CBE5

Function 0027F34C Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0027F35C
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0027F372
GetWindowThreadProcessId.USER32(?,?), ref: 0027F381
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027F390
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027F39A
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0027F3A1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 055cd607589580296aa1fc3b5a3d52e5f3c3357794ba17eded5160af102e9721
Instruction ID: cdc1a5870df4c8055e4447ea17062c22a2741a38723f7077dd9296ce31e5d608
Opcode Fuzzy Hash: 055cd607589580296aa1fc3b5a3d52e5f3c3357794ba17eded5160af102e9721
Instruction Fuzzy Hash: 59F03036241154BBE7215B62AC0DEEF7B7CDFC7B11F000058F60691090DBA05A01D6B5

Function 0025349A Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 002534B3
SendMessageW.USER32(?,00001328,00000000,?), ref: 002534CA
GetWindowDC.USER32(?), ref: 002534D6
GetPixel.GDI32(00000000,?,?), ref: 002534E5
ReleaseDC.USER32(?,00000000), ref: 002534F7
GetSysColor.USER32(00000005), ref: 00253511

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 394c678d59a68c2afc5bf46a8d8e17362d15ab77433111ef5005aea25fc926ee
Instruction ID: f193e6cecea9c980f2a0f2a40bf4d7e456986136188b0eac92c3f7f3bcc00161
Opcode Fuzzy Hash: 394c678d59a68c2afc5bf46a8d8e17362d15ab77433111ef5005aea25fc926ee
Instruction Fuzzy Hash: 24015A71810209EFDB119F60EC48BEA7BB9FB09311F9111A4F916A21A1CF311E65AF11

Function 00272104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027210F
UnloadUserProfile.USERENV(?,?), ref: 0027211B
CloseHandle.KERNEL32(?), ref: 00272124
CloseHandle.KERNEL32(?), ref: 0027212C
GetProcessHeap.KERNEL32(00000000,?), ref: 00272135
HeapFree.KERNEL32(00000000), ref: 0027213C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cb3f265c071654fd6c52e8fea0f0cf6ad551e800d35bfe6ada1fa559798b0514
Instruction ID: 23e0e25d50d5ab4b4a2e93f372af2fc6017ae65bf9cbbf0b881ca84f7a5a79b9
Opcode Fuzzy Hash: cb3f265c071654fd6c52e8fea0f0cf6ad551e800d35bfe6ada1fa559798b0514
Instruction Fuzzy Hash: 17E0757A104505FBDB011FA5FD0C94ABF79FF4A722B504625F22A82870DF329461DF51

Function 0027CD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00214154: _wcslen.LIBCMT ref: 00214159

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0027CEAE
_wcslen.LIBCMT ref: 0027CEF5
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0027CF5C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0027CF8A

Strings

0, xrefs: 0027CE6F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: fcf4a7501cd42bf4cb99afd3f667af9c5d24ce7c6b888c2c54b6a3c0f5a04d10
Instruction ID: aed3c80acecda6a8f2b24f29b08e0f0e0cc2cc9cc9243f4b33e0215bb32ea249
Opcode Fuzzy Hash: fcf4a7501cd42bf4cb99afd3f667af9c5d24ce7c6b888c2c54b6a3c0f5a04d10
Instruction Fuzzy Hash: 535104716343029BD714DF38C884B6BB7E9AF99310F24892EF89DD6590DB70C9648B53

Function 0029B6C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0029B802

Part of subcall function 00214154: _wcslen.LIBCMT ref: 00214159

GetProcessId.KERNEL32(00000000), ref: 0029B897
CloseHandle.KERNEL32(00000000), ref: 0029B8C6

Strings

@, xrefs: 0029B7D1
<, xrefs: 0029B7CA

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 72c5bc1accf31112767fcad85d4fec10e0966d81de6cb143bea7d766487df6c8
Instruction ID: 66b656323ee09b60d63345af6b86fa0f87a0f0c96c690b8ae9705d49d79e3484
Opcode Fuzzy Hash: 72c5bc1accf31112767fcad85d4fec10e0966d81de6cb143bea7d766487df6c8
Instruction Fuzzy Hash: 54715675A10219DFCF11DF94D584A9EBBF5BF08310F048499E859AB362CB70AD95CF90

Function 00277A2D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00277A95
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00277ACB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00277ADC
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00277B5E

Strings

DllGetClassObject, xrefs: 00277AD1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 3daf01884889700e191ed00043866660dd1548d14a3e9a0b9f8b805a63695678
Instruction ID: 709ded84a3623e73059b3f53f3af1dea311202408b9179544a83a2a21e246146
Opcode Fuzzy Hash: 3daf01884889700e191ed00043866660dd1548d14a3e9a0b9f8b805a63695678
Instruction Fuzzy Hash: FB419D71614208EFDB05CF64C884A9A7BB9EF49318F14D0AEAD09DF246D7B0DD64CBA0

Function 002A46DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A4794
IsMenu.USER32(?), ref: 002A47A9
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A47F1
DrawMenuBar.USER32 ref: 002A4804

Strings

0, xrefs: 002A46E8

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c8c644c46453fcc18cb86b14c0b266ab864967c3a2a933810f7955d4f98263d7
Instruction ID: 7b74df7b44c3dd1e28f5a0d5c48b699b1945de8f7db3702d2040a718c42e5461
Opcode Fuzzy Hash: c8c644c46453fcc18cb86b14c0b266ab864967c3a2a933810f7955d4f98263d7
Instruction Fuzzy Hash: 15415D75A2124AEFDB20DF54EC84EAAB7B8FF86314F144129E90597250CBB4ED64CF50

Function 00272672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002726F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00272709
SendMessageW.USER32(?,00000189,?,00000000), ref: 00272739

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

Strings

ComboBox, xrefs: 00272680
ListBox, xrefs: 002726B5

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e7f902fd16b2de1d0e722a1b9df504f7a170521182f2521aafd66c31abe4c486
Instruction ID: 6edeeea55b2bc30fc3ba4e8dc2ff5c6f8c8b1e75330c866aded0587d27149e7e
Opcode Fuzzy Hash: e7f902fd16b2de1d0e722a1b9df504f7a170521182f2521aafd66c31abe4c486
Instruction Fuzzy Hash: 7321F671920105BBDB18ABA0DD89CFEB7B8DF52754B14811AF425A31E1CF784D6A9A20

Function 002A3876 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A38EC
LoadLibraryW.KERNEL32(?), ref: 002A38F3
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A3908
DestroyWindow.USER32(?), ref: 002A3910

Strings

SysAnimate32, xrefs: 002A38C7

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d37f488515cbfd2bf9339cdd9342adb8b472fdc52e3bd75d41a6a7066d24c650
Instruction ID: 9203482cd2b984565f3d26455f7cd6dcb7c570ec7d470b23998ba4324a08927b
Opcode Fuzzy Hash: d37f488515cbfd2bf9339cdd9342adb8b472fdc52e3bd75d41a6a7066d24c650
Instruction Fuzzy Hash: 9B21F37152020AAFEF108F64DC84EBB77ADEB56364F100218FA11A31A0DBB0DD619760

Function 002350FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002350AE,?,?,0023504E,?,002D98D8,0000000C,002351A5,?,00000002), ref: 0023511D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00235130
FreeLibrary.KERNEL32(00000000,?,?,?,002350AE,?,?,0023504E,?,002D98D8,0000000C,002351A5,?,00000002,00000000), ref: 00235153

Strings

CorExitProcess, xrefs: 00235128
mscoree.dll, xrefs: 00235116

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b587965709b728be97900f406cd9c0a5b0a6bf404af9e0b5e278fbe8243d7442
Instruction ID: d2be181510ab0f17878257c5854ebc99d4fc25240f4719415491eff9acda164b
Opcode Fuzzy Hash: b587965709b728be97900f406cd9c0a5b0a6bf404af9e0b5e278fbe8243d7442
Instruction Fuzzy Hash: 4AF0AF70A10218BFDB109F90EC4DBEDBBB8EF05752F0000A4F80EA2160CF308D60DA90

Function 0026E71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0026E72B
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0026E73D
FreeLibrary.KERNEL32(00000000), ref: 0026E763

Strings

GetSystemWow64DirectoryW, xrefs: 0026E737
X64, xrefs: 0026E626

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: d242a2fdda370ebb6c11fa9f41480e631722ec3d224980a0d65740f543330da5
Instruction ID: 264e2d7d5e2b106c6da4ccc2a584b345e9791bae392f7ceecbc0c14327b68581
Opcode Fuzzy Hash: d242a2fdda370ebb6c11fa9f41480e631722ec3d224980a0d65740f543330da5
Instruction Fuzzy Hash: 7BF0E575C315619FDF731F209C4CAA9762CAF12700F160494F846A6460DF60CDB8C684

Function 00216332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0021637F,?,?,002160AA,?,00000001,?,?,00000000), ref: 0021633E
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00216350
FreeLibrary.KERNEL32(00000000,?,?,0021637F,?,?,002160AA,?,00000001,?,?,00000000), ref: 00216362

Strings

Wow64DisableWow64FsRedirection, xrefs: 0021634A
kernel32.dll, xrefs: 00216336

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f3de99f19dd2839786b8e43b05677d2fa0fccecdeec757699fc95aed24575127
Instruction ID: eb041d70d353ef0d91ad77983c4dc48676d170b16d051fc109c9cf4862051853
Opcode Fuzzy Hash: f3de99f19dd2839786b8e43b05677d2fa0fccecdeec757699fc95aed24575127
Instruction Fuzzy Hash: DCE0CD32611B231793112B157C0CBDE66599FA3F237060155F905D2210DF70CD52C0F0

Function 002162FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002554C3,?,?,002160AA,?,00000001,?,?,00000000), ref: 00216304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00216316
FreeLibrary.KERNEL32(00000000,?,?,002554C3,?,?,002160AA,?,00000001,?,?,00000000), ref: 00216329

Strings

kernel32.dll, xrefs: 002162FD
Wow64RevertWow64FsRedirection, xrefs: 00216310

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5d5ab4b83f02d73c31b56b074112ee22a896f545c006255a9a0d84217343b5cb
Instruction ID: ba2c1065c1bb3d56a6eff4128074a6cd2ae9da61a57fcd10b2ea146b2b7045f3
Opcode Fuzzy Hash: 5d5ab4b83f02d73c31b56b074112ee22a896f545c006255a9a0d84217343b5cb
Instruction Fuzzy Hash: CCD012356625625743222B25BC1C9CE7E55DE97F213850159F816A2528CF60CD6185A0

Function 0028321B Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002834D9
DeleteFileW.KERNEL32(?), ref: 0028355B
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00283571
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00283582
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00283594

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 74572a99c6338f932d52f0215c10d38d315b2d6d907190342a9074bd8499eda1
Instruction ID: 1a6e5a0bd5f02733bf4b87aab3ef8c8cd81bebb520657d9f543a2318304a1859
Opcode Fuzzy Hash: 74572a99c6338f932d52f0215c10d38d315b2d6d907190342a9074bd8499eda1
Instruction Fuzzy Hash: CBB16CB2D11119ABDF11EFA4CC85EDEBBBDEF59714F0040A6F909A6181EA309B548F60

Function 0029ACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0029AD86
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0029AD94
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0029ADC7
CloseHandle.KERNEL32(?), ref: 0029AF9C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e9b923ce004aa6e6f8e587d769a3214a1f71c3268d3196025e4f00b63a1d540f
Instruction ID: 99fc62acac957538986fc8a460f542c8c7a7e2a2ad0e31f91d387af4b521d196
Opcode Fuzzy Hash: e9b923ce004aa6e6f8e587d769a3214a1f71c3268d3196025e4f00b63a1d540f
Instruction Fuzzy Hash: 93A1D0B1610301AFDB20DF28C886F2AB7E5AF54710F14885DF9999B692DB71EC50CF82

Function 0029C328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 0029D2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029C00D,?,?), ref: 0029D314
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D350
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D3C7
Part of subcall function 0029D2F7: _wcslen.LIBCMT ref: 0029D3FD

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0029C404
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0029C45F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0029C4C2
RegCloseKey.ADVAPI32(?,?), ref: 0029C505
RegCloseKey.ADVAPI32(00000000), ref: 0029C512

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 055c2e0a79fbfbc9575bd9f69c4fe99f46c1277ffb055ebe5770de3cb0024a05
Instruction ID: a92863a3137a1f1767b56a4b408e46fbea982e3602860120535fa55aa01c9187
Opcode Fuzzy Hash: 055c2e0a79fbfbc9575bd9f69c4fe99f46c1277ffb055ebe5770de3cb0024a05
Instruction Fuzzy Hash: 9C61A031228241AFD714DF24C494E6ABBE5FF84308F64849CF45A8B2A2CB31ED55CF92

Function 0027EC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027E60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0027D6E2,?), ref: 0027E629

Part of subcall function 0027E60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0027D6E2,?), ref: 0027E642

Part of subcall function 0027E9C5: GetFileAttributesW.KERNEL32(?,0027D755), ref: 0027E9C6

lstrcmpiW.KERNEL32(?,?), ref: 0027EC9F
MoveFileW.KERNEL32(?,?), ref: 0027ECD8
_wcslen.LIBCMT ref: 0027EE17
_wcslen.LIBCMT ref: 0027EE2F
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0027EE7C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 4434ea7a7b83535f221208c1644524c1fb1c69455f42cda17358dbf038bc0cff
Instruction ID: 2376903158d3c61c7e6494d19488df1c5f9bff7ad93e34b6a538a35d8fc4b4e6
Opcode Fuzzy Hash: 4434ea7a7b83535f221208c1644524c1fb1c69455f42cda17358dbf038bc0cff
Instruction Fuzzy Hash: 7A5185B24183859BC735EF60D8819DBB3ECAF99310F00496EF589D3151EF70A698CB66

Function 0027943F Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027945C
VariantClear.OLEAUT32 ref: 002794CD
VariantClear.OLEAUT32 ref: 0027952C
VariantClear.OLEAUT32(?), ref: 0027959F
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002795CA

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f906083e8c87f43c363fcf9c478a723a03d3a87f36dedaf936ead9ecaaec371c
Instruction ID: beca0308b8d8a34078a4a64724d1e91fb84fab65e9a5c28c613f10bd9721be0f
Opcode Fuzzy Hash: f906083e8c87f43c363fcf9c478a723a03d3a87f36dedaf936ead9ecaaec371c
Instruction Fuzzy Hash: 445159B5A1061AEFDB10CF58C884AAAB7F9FF8D314B058559F90ADB310D730E961CB90

Function 00289455 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00289508
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00289534
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0028958C
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002895B1
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002895B9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 130bcd14d2bdfe7776e6b5b22d9583d300367841dee4ae1098d48a655a9783ad
Instruction ID: e17e2384c05fbbc0cac1ec08aaa6458659ed3a3e9d477bfabf720fe9d0fe2849
Opcode Fuzzy Hash: 130bcd14d2bdfe7776e6b5b22d9583d300367841dee4ae1098d48a655a9783ad
Instruction Fuzzy Hash: D4515E39A102159FDB11DF64C884AADBBF5FF49314F088058E9496B3A2CB35ED91CF90

Function 00299843 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0029989F
GetProcAddress.KERNEL32(00000000,?), ref: 0029992F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0029994B
GetProcAddress.KERNEL32(00000000,?), ref: 00299991
FreeLibrary.KERNEL32(00000000), ref: 002999B1

Part of subcall function 0022F9E2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00281917,?,7529E610), ref: 0022F9FF
Part of subcall function 0022F9E2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002702F4,00000000,00000000,?,?,00281917,?,7529E610,?,002702F4), ref: 0022FA26

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ffe4fd4c9eb92ef394833742d93aa7c42b44a55383ff049ca33bdb5b0cf34ea8
Instruction ID: 530158ba0b84b1ae690878a8ea925726160ada23b378be4660ead97c8219da4f
Opcode Fuzzy Hash: ffe4fd4c9eb92ef394833742d93aa7c42b44a55383ff049ca33bdb5b0cf34ea8
Instruction Fuzzy Hash: FD514835A10205DFCB01EF68C4949A9BBF4FF19324B1480ADE81A9B762DB31ED95CF91

Function 002A74D5 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 002A7592
SetWindowLongW.USER32(?,000000EC,?), ref: 002A75A9
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002A75D2
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0028B4D6,00000000,00000000), ref: 002A75F7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002A7626

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 9f1ddbfd4a3ffb72397eefa136381be97e1ba617b453c55eef8a68e0bdaa03ad
Instruction ID: 11e70baaa3ad1fbcb4ff691e3a0d166568b42dcc2b579a4d5551db15c1629a35
Opcode Fuzzy Hash: 9f1ddbfd4a3ffb72397eefa136381be97e1ba617b453c55eef8a68e0bdaa03ad
Instruction Fuzzy Hash: 5941C235E28145AFD729CF68DC48BA67BA5EB0B310F540224FD19A72E1CF70ED60DA54

Function 002423E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00242453
_free.LIBCMT ref: 00242473

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b3564537a31dae37cf08f0df951a1dc71b28a7af7627c2361ef7e9f61fae5344
Instruction ID: 6c010c1ea58d97ba94d830933328bf16ddd81d1ce39a9ce97780b0957e12ba23
Opcode Fuzzy Hash: b3564537a31dae37cf08f0df951a1dc71b28a7af7627c2361ef7e9f61fae5344
Instruction Fuzzy Hash: 3841FF72E20200DFCB28DF79C880A59B7E5EF88314F9541A9F915EB291DA70ED15CB80

Function 002119CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002119E1
ScreenToClient.USER32(00000000,?), ref: 002119FE
GetAsyncKeyState.USER32(00000001), ref: 00211A23
GetAsyncKeyState.USER32(00000002), ref: 00211A3D

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 79f2755b47f7638aed43d56dd0244f915104d443e424456be068acfd29349473
Instruction ID: b164aea1a93b3dd4a64a74d843b2b89aaba2c2c15b2fa846866d85d341c2f157
Opcode Fuzzy Hash: 79f2755b47f7638aed43d56dd0244f915104d443e424456be068acfd29349473
Instruction Fuzzy Hash: 0F41727191451AFBDF05DF68D844BEEBBB4FF05320F108216E929A2290CB706AA4CF95

Function 002841CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00284225
TranslateAcceleratorW.USER32(?,00000000,?), ref: 0028427C
TranslateMessage.USER32(?), ref: 002842A5
DispatchMessageW.USER32(?), ref: 002842AF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002842C0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 8c22877fa6d976ee8ff3d2b8282fed06aeb3fcd29c11adeb9287f32a32315a9f
Instruction ID: 9d5c74af68155c15cfa6c7b016b1fc909c047a6314d1c7a84206a9fc7ba06aff
Opcode Fuzzy Hash: 8c22877fa6d976ee8ff3d2b8282fed06aeb3fcd29c11adeb9287f32a32315a9f
Instruction Fuzzy Hash: D131D834965287DFEB34FF64AC4CBB677ACEB01305F1405ADE863861E0E7A49498CB21

Function 00272191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002721A5
PostMessageW.USER32(00000001,00000201,00000001), ref: 00272251
Sleep.KERNEL32(00000000,?,?,?), ref: 00272259
PostMessageW.USER32(00000001,00000202,00000000), ref: 0027226A
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00272272

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3db52aa82dd3e4db0d6a0e9172ba18dfd6cbefac27feecf6df985f62fc119b49
Instruction ID: a5bb4db94af6fc6052faf303c7ae8ffc6e8b214d706cf4792a8725e3976d6a86
Opcode Fuzzy Hash: 3db52aa82dd3e4db0d6a0e9172ba18dfd6cbefac27feecf6df985f62fc119b49
Instruction Fuzzy Hash: E631CF7191021AEFDB04CFA8DD89ADE3BB5EB15314F108225FE29A72D1C770E954CB90

Function 0028D877 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0028CB7B,00000000), ref: 0028D895
InternetReadFile.WININET(?,00000000,?,?), ref: 0028D8CC
GetLastError.KERNEL32(?,00000000,?,?,?,0028CB7B,00000000), ref: 0028D911
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028CB7B,00000000), ref: 0028D925
SetEvent.KERNEL32(?,?,00000000,?,?,?,0028CB7B,00000000), ref: 0028D94F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 100956c4d58946f61458ebb24c1cd0c4d1926ab356c1f48f4552fdb6d5067a2a
Instruction ID: 853bc00e3c94dde6d5cc4d5ce96a7511a850bcf045cf5cdf8abd225a151c9356
Opcode Fuzzy Hash: 100956c4d58946f61458ebb24c1cd0c4d1926ab356c1f48f4552fdb6d5067a2a
Instruction Fuzzy Hash: 61318E75921306EFDB20EFA5D888AAFB7F8EF05354B10442EE546D2580EB30EE55DB60

Function 002A6065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002A60A4
SendMessageW.USER32(?,00001074,?,00000001), ref: 002A60FC
_wcslen.LIBCMT ref: 002A610E
_wcslen.LIBCMT ref: 002A6119
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A6175

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 573ceb0e17461c2e493df6cef4976ed2d5ade55811a66be999a9ed0d15f4b02e
Instruction ID: b7fdd2f23583262bdbb8aa1cd8e57d2118012207e7faf12726ff05cc4636566e
Opcode Fuzzy Hash: 573ceb0e17461c2e493df6cef4976ed2d5ade55811a66be999a9ed0d15f4b02e
Instruction Fuzzy Hash: 7821A571920619ABDF109FA4DC88AEEBBB8FF06314F144217F925EA180DF709595CF50

Function 0029128D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002912AE
GetForegroundWindow.USER32 ref: 002912C5
GetDC.USER32(00000000), ref: 00291301
GetPixel.GDI32(00000000,?,00000003), ref: 0029130D
ReleaseDC.USER32(00000000,00000003), ref: 00291345

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f262a19c42802184f4a7034a6d93fd767c5bdcbe03c9651237e1a62f5f3b5bc3
Instruction ID: f5774bd935a598de32fb1bb688097b4ed74bbcd2013a711196e09c58a5415189
Opcode Fuzzy Hash: f262a19c42802184f4a7034a6d93fd767c5bdcbe03c9651237e1a62f5f3b5bc3
Instruction Fuzzy Hash: 8B21C07AA10214AFDB04EF65EC88AAEB7F8FF49300B048468E94AD7751CA30EC54CF50

Function 0024D15D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024D166
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024D189

Part of subcall function 00243BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00236A99,?,0000015D,?,?,?,?,002385D0,000000FF,00000000,?,?), ref: 00243BE2

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024D1AF
_free.LIBCMT ref: 0024D1C2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024D1D1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0b5def124a03d9bb37392134dc8e068ebaebe750f180b8c018a2b2ee676cb669
Instruction ID: 9721988185f4a1bdb8bdd843951660f940dc013ad3af59b31a61418d030bbcce
Opcode Fuzzy Hash: 0b5def124a03d9bb37392134dc8e068ebaebe750f180b8c018a2b2ee676cb669
Instruction Fuzzy Hash: 0201D6726216167F27256ABA6C8CD7F7A6DDEC7FA1314012AFD0DC7240DF618C1295B0

Function 00243188 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,0023F66E,0023547F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 0024318D
_free.LIBCMT ref: 002431C2
_free.LIBCMT ref: 002431E9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002431F6
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002431FF

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4697cf751ec5dd9808b05e75fa66be5d239ac5ba27410d851bba7cbb0c6a4ee2
Instruction ID: c991700a04db6d43c9a4a686eefaf41be84bd5483543e0d994fc9f943ac12a05
Opcode Fuzzy Hash: 4697cf751ec5dd9808b05e75fa66be5d239ac5ba27410d851bba7cbb0c6a4ee2
Instruction Fuzzy Hash: DE01F972671902B7871AE7356C4AD2B266DDFC53707610425F41ED2191EEB0CD365920

Function 0027089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?,?,00270BEE), ref: 002708BB
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?), ref: 002708D6
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?), ref: 002708E4
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?), ref: 002708F4
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002707D1,80070057,?,?), ref: 00270900

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9e1c05380945250b0931bfdfbdc1c42e104675c546f8621f36686d94b45d81cc
Instruction ID: 5686829265fed10c99717af75443fcf5cd9e659af7ce8538cbd47474f30e0e6a
Opcode Fuzzy Hash: 9e1c05380945250b0931bfdfbdc1c42e104675c546f8621f36686d94b45d81cc
Instruction Fuzzy Hash: 9101A772610205FFEB104F64DC48F9A7AFDEF45751F108014F90AD2211DB74ED159BA0

Function 0027F1A7 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0027F1C3
QueryPerformanceFrequency.KERNEL32(?), ref: 0027F1D1
Sleep.KERNEL32(00000000), ref: 0027F1D9
QueryPerformanceCounter.KERNEL32(?), ref: 0027F1E3
Sleep.KERNEL32 ref: 0027F21F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e99fe34d562ed5a1cc93f7058b2d5c64350a5a3ae3149b11f87e4038e325c68c
Instruction ID: beca533d8e91ef83700c17cd59747ce5a2fb9e8c7599e61c137332e94034817c
Opcode Fuzzy Hash: e99fe34d562ed5a1cc93f7058b2d5c64350a5a3ae3149b11f87e4038e325c68c
Instruction Fuzzy Hash: 65016935C14619DBCF00AFA4EE4DAEEBB78FB09301F014065E90AB2151CF309564CB65

Function 00271989 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002719A4
GetLastError.KERNEL32(?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719B0
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719BF
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,0027142B,?,?,?), ref: 002719C6
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002719DD

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 27941c0f67ac5901010e7cc9008d57d10f190c8c990ccd944d883bd9c3ce74e4
Instruction ID: fa1235b01a84ec3de5f42256530ffcac993fa9b095f28feeb1c45feb965e3535
Opcode Fuzzy Hash: 27941c0f67ac5901010e7cc9008d57d10f190c8c990ccd944d883bd9c3ce74e4
Instruction Fuzzy Hash: 340181B5200206FFDB114FA9EC4DE6A3B7EEF8A360B114455F94AC3260DE31DC508A60

Function 00271844 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0027185A
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00271866
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00271875
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0027187C
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00271892

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b00b6c6ca11f6990cf9f6ac227898d71e2b7d53ce63a560dd69162fe4dd0627d
Instruction ID: 39e44fcf143369dc1df2fc6ead60a1e7a2ca9d3cbdd576e8aacfcc348dd3c22f
Opcode Fuzzy Hash: b00b6c6ca11f6990cf9f6ac227898d71e2b7d53ce63a560dd69162fe4dd0627d
Instruction Fuzzy Hash: E8F06279240311BBDB110F68EC4DF563B6DEF8A761F104454F94AC7250DE71DC108A60

Function 002718A4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002718BA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002718C6
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002718D5
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002718DC
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002718F2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 42dd55e4f39fd214a96bdfcc25ee84696fb4efa4fc36ab9820031f5538310e14
Instruction ID: b96e101c12070ec03176d366bd9f39e84cbb902a88f104cd786936d5a6ac8268
Opcode Fuzzy Hash: 42dd55e4f39fd214a96bdfcc25ee84696fb4efa4fc36ab9820031f5538310e14
Instruction Fuzzy Hash: 97F06279200312BBDB114F68EC4DF563B6DEF8A761F104414F94AC7250DE70D9508A60

Function 00280BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00280A39,?,00283C56,?,00000001,00253ACE,?), ref: 00280BE0
CloseHandle.KERNEL32(?,?,?,?,00280A39,?,00283C56,?,00000001,00253ACE,?), ref: 00280BED
CloseHandle.KERNEL32(?,?,?,?,00280A39,?,00283C56,?,00000001,00253ACE,?), ref: 00280BFA
CloseHandle.KERNEL32(?,?,?,?,00280A39,?,00283C56,?,00000001,00253ACE,?), ref: 00280C07
CloseHandle.KERNEL32(?,?,?,?,00280A39,?,00283C56,?,00000001,00253ACE,?), ref: 00280C14
CloseHandle.KERNEL32(?,?,?,?,00280A39,?,00283C56,?,00000001,00253ACE,?), ref: 00280C21

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d0ff862b9895f520eb8fd261f4ad1bb62875cb7d16c022c0a42366607c30533e
Instruction ID: 484d5bba14831d22a8b760a8d577ead95612a32b2f9378d1f5efae01a3e1674f
Opcode Fuzzy Hash: d0ff862b9895f520eb8fd261f4ad1bb62875cb7d16c022c0a42366607c30533e
Instruction Fuzzy Hash: 5C01D075802B169FCB30AF66D8C0806FBF5AE502093008A3FD09242971C770A858CF80

Function 002764D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002764E7
GetWindowTextW.USER32(00000000,?,00000100), ref: 002764FE
MessageBeep.USER32(00000000), ref: 00276516
KillTimer.USER32(?,0000040A), ref: 00276532
EndDialog.USER32(?,00000001), ref: 0027654C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2a5133b85e005eeccdef7c6cc1251591c051b7b42127b993951c2e453c3e6bcf
Instruction ID: af281a71f2f32dfe9513f47b085f57bf35ac9399faa63bb1dd84dca75be0b9fd
Opcode Fuzzy Hash: 2a5133b85e005eeccdef7c6cc1251591c051b7b42127b993951c2e453c3e6bcf
Instruction Fuzzy Hash: 1401D130510B04ABEB245F20ED4EB9677BCBB10B05F404559B18BA24E1DFF0AAA8CB90

Function 0024DADA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0024DAF2

Part of subcall function 00242D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4), ref: 00242D6E
Part of subcall function 00242D58: GetLastError.KERNEL32(002E1DC4,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4,002E1DC4), ref: 00242D80

_free.LIBCMT ref: 0024DB04
_free.LIBCMT ref: 0024DB16
_free.LIBCMT ref: 0024DB28
_free.LIBCMT ref: 0024DB3A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe97bb6d67bf01404c9788ecc2f745ba1904a584d2d53edb57f1f578aa7d6a69
Instruction ID: 18a1986c5a4a13325c88ee61d129cbeb61db72c71e9ff5967e8cbae1d2595c8f
Opcode Fuzzy Hash: fe97bb6d67bf01404c9788ecc2f745ba1904a584d2d53edb57f1f578aa7d6a69
Instruction Fuzzy Hash: E1F04F32E65649EB8729EF69F889D1A77DDEE043103D50C06F009D7551CA60FCD18A50

Function 00242630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0024264E

Part of subcall function 00242D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4), ref: 00242D6E
Part of subcall function 00242D58: GetLastError.KERNEL32(002E1DC4,?,0024DB71,002E1DC4,00000000,002E1DC4,00000000,?,0024DB98,002E1DC4,00000007,002E1DC4,?,0024DF95,002E1DC4,002E1DC4), ref: 00242D80

_free.LIBCMT ref: 00242660
_free.LIBCMT ref: 00242673
_free.LIBCMT ref: 00242684
_free.LIBCMT ref: 00242695

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df55120cf6dbbe4abd00346180a4d89a389cecde8229b78505db17ee18282d53
Instruction ID: d42757d23ef07ebf888f29d1a79f0ed51f8b0d1aa2e1082e565263a10d1929c1
Opcode Fuzzy Hash: df55120cf6dbbe4abd00346180a4d89a389cecde8229b78505db17ee18282d53
Instruction Fuzzy Hash: EEF03070CA2690CB8B06AF65BC898483B6CBB147613410A27F519DA274C77109ABAFC4

Function 00211E65 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00211E74
StrokeAndFillPath.GDI32(?,?,00253258,00000000,?,?,?), ref: 00211E90
SelectObject.GDI32(?,00000000), ref: 00211EA3
DeleteObject.GDI32 ref: 00211EB6
StrokePath.GDI32(?), ref: 00211ED1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 040091876116bfee77cef5e239889960caace2a952889420b2e8982b3b98065f
Instruction ID: c33bc4c18570ad9f61a9389202a7f1928b616996153528ade2793439ee570275
Opcode Fuzzy Hash: 040091876116bfee77cef5e239889960caace2a952889420b2e8982b3b98065f
Instruction Fuzzy Hash: F7F01430051289EBDB265F64FD4CBA53FE9BB51322F249214F96A584F1CB3588AADF10

Function 002412D7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00241489
__freea.LIBCMT ref: 002414A7

Part of subcall function 002418C7: _free.LIBCMT ref: 002418DF

Strings

a/p, xrefs: 0024156E
am/pm, xrefs: 0024150A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 6b60b1b62b54c5498fdbc044a2f300cce6047a30187320970519934d181c68f1
Instruction ID: ed5def33df5aadd5c878d286518b42859a8a59d496112c5bdb2493c4be5cd418
Opcode Fuzzy Hash: 6b60b1b62b54c5498fdbc044a2f300cce6047a30187320970519934d181c68f1
Instruction Fuzzy Hash: 7ED1E075A30206DADB2C9F68C8857FABBB5FF05310F290159E902AB251D3759DF0CBA1

Function 00296B2D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 002305D2: EnterCriticalSection.KERNEL32(002E170C,?,00000000,?,0021D1DA,002E3540,00000001,00000000,?,?,0028EF39,?,?,00000000,00000001,?), ref: 002305DD
Part of subcall function 002305D2: LeaveCriticalSection.KERNEL32(002E170C,?,0021D1DA,002E3540,00000001,00000000,?,?,0028EF39,?,?,00000000,00000001,?,00000001,002E2430), ref: 0023061A

Part of subcall function 00230433: __onexit.LIBCMT ref: 00230439

__Init_thread_footer.LIBCMT ref: 00296B95

Part of subcall function 00230588: EnterCriticalSection.KERNEL32(002E170C,00000000,?,0021D208,002E3540,002527E9,00000001,00000000,?,?,0028EF39,?,?,00000000,00000001,?), ref: 00230592
Part of subcall function 00230588: LeaveCriticalSection.KERNEL32(002E170C,?,0021D208,002E3540,002527E9,00000001,00000000,?,?,0028EF39,?,?,00000000,00000001,?,00000001), ref: 002305C5

Part of subcall function 00283EF6: LoadStringW.USER32(00000066,?,00000FFF,002ADCEC), ref: 00283F3E
Part of subcall function 00283EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 00283F64

Strings

x3., xrefs: 00296CB0
x3., xrefs: 00296C97
x3., xrefs: 00296CCC

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x3.$x3.$x3.
API String ID: 1072379062-3845791144
Opcode ID: d38f1d1bc7d64e032dc39ba7f34de82e199ce35d2479387ec18665a0467626f6
Instruction ID: 3e00e2d4893e993163fd01c3f0d03e8f4fd02e5da5a4213dd695411c4c27eefb
Opcode Fuzzy Hash: d38f1d1bc7d64e032dc39ba7f34de82e199ce35d2479387ec18665a0467626f6
Instruction Fuzzy Hash: 8CC19D75A1010AAFCF14DF98C895DBEB7F9EF58300F148069F955AB291DB70AD60CB90

Function 0021CF30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0021D203

Strings

D5., xrefs: 0021CF78
D5., xrefs: 0021D1EA
D5., xrefs: 0021CF7F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Init_thread_footer
String ID: D5.$D5.$D5.
API String ID: 1385522511-149234557
Opcode ID: 07eb9d769c7d3ecf461e9c71d33e0bd57d231f1cf394d1da326fbd96cac7c65f
Instruction ID: aad718ad4cffd900be6a664f6624b3efd56277236910ea7f7be620635b4fbee2
Opcode Fuzzy Hash: 07eb9d769c7d3ecf461e9c71d33e0bd57d231f1cf394d1da326fbd96cac7c65f
Instruction Fuzzy Hash: 1C913B75A60206DFCB18CF59C4906AAB7F2FF68310F64416AD945AB340D771EEA2CF90

Function 00272FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027BCDF: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00272A60,?,?,00000034,00000800,?,00000034), ref: 0027BD09

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00272FF0

Part of subcall function 0027BCAA: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00272A8F,?,?,00000800,?,00001073,00000000,?,?), ref: 0027BCD4

Part of subcall function 0027BC06: GetWindowThreadProcessId.USER32(?,?), ref: 0027BC31
Part of subcall function 0027BC06: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00272A24,00000034,?,?,00001004,00000000,00000000), ref: 0027BC41
Part of subcall function 0027BC06: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00272A24,00000034,?,?,00001004,00000000,00000000), ref: 0027BC57

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027305D
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002730AA

Strings

@, xrefs: 002730C2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c6e8ccf26ebb525e33124e87d5ac54ecdaad5083f9286d6ae8c3479902184848
Instruction ID: a4e82b039edc19a5d5b1bda996652d61fddfcb14a71149775116f1d0dda9e237
Opcode Fuzzy Hash: c6e8ccf26ebb525e33124e87d5ac54ecdaad5083f9286d6ae8c3479902184848
Instruction Fuzzy Hash: 02415C76A1021CAFDB11DFA4CC85BDEBBB8EB05300F008099FA49B7180DA716E95DF60

Function 00241ABE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\wvtynvwe\AutoIt3.exe,00000104), ref: 00241AF9
_free.LIBCMT ref: 00241BC4
_free.LIBCMT ref: 00241BCE

Strings

C:\ProgramData\wvtynvwe\AutoIt3.exe, xrefs: 00241AF0, 00241AF7, 00241B26, 00241B5E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\ProgramData\wvtynvwe\AutoIt3.exe
API String ID: 2506810119-3538095461
Opcode ID: b6772b3d89343b6753bbd3facd523d1cb7830f14cac0d9d084e217487d5bb302
Instruction ID: 78b32e0100bdb0e0967e56d5b65f673269adf5ed3daa69f49b3cfc78959c6c1e
Opcode Fuzzy Hash: b6772b3d89343b6753bbd3facd523d1cb7830f14cac0d9d084e217487d5bb302
Instruction Fuzzy Hash: 6E31B571A50258EFDB29DF99DC85D9EBBFCEF84314B104066F80497210E7B04EA4CB90

Function 0027CA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0027CAC6
DeleteMenu.USER32(?,00000007,00000000), ref: 0027CB0C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002E2990,012B5CD8), ref: 0027CB55

Strings

0, xrefs: 0027CA9F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 982074194376980a3ac00ce824954150cb6bf8110d08b6d7de00bc95ab78a918
Instruction ID: 9bb5b6ca6a2af817fb3dff023f824cde5bdb6f96dde65c66e5638e49960b3c8f
Opcode Fuzzy Hash: 982074194376980a3ac00ce824954150cb6bf8110d08b6d7de00bc95ab78a918
Instruction Fuzzy Hash: 174105701193429FD720DF34D846F5ABBE8EF94328F20851DF8A997291C730E914CBA2

Function 002A4D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002ADCD0,00000000,?,?,?,?), ref: 002A4E09
GetWindowLongW.USER32 ref: 002A4E26
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A4E36

Strings

SysTreeView32, xrefs: 002A4DDB

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 05acbc139244e834163e7ce5af6879c8217b7aac467749b5e479af090d2b05b6
Instruction ID: 699abe0d77a453a6f40ec121ddc984abdaf8447045f92893c06d015e4fda5949
Opcode Fuzzy Hash: 05acbc139244e834163e7ce5af6879c8217b7aac467749b5e479af090d2b05b6
Instruction Fuzzy Hash: B8319E31120606AFDF219F38DC45BEA7BA9EB5A334F204715F975921D0DBB0E8608B50

Function 002939AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00293CB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,002939D4,?,?), ref: 00293CD5

inet_addr.WSOCK32(?), ref: 002939D7
_wcslen.LIBCMT ref: 002939F8
htons.WSOCK32(00000000), ref: 00293A63

Strings

255.255.255.255, xrefs: 002939F2, 002939F7

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6d68611468ae952228295ed9ef29a4c97c6c8d2a564f464ce2174044d682e021
Instruction ID: b33c29b1b4efe5e695f56268c50a225f1d7f2a9e5032ef524bbae3721342bcf3
Opcode Fuzzy Hash: 6d68611468ae952228295ed9ef29a4c97c6c8d2a564f464ce2174044d682e021
Instruction Fuzzy Hash: 8D31C4396102029FCF10CF68C585EAA77F0EF15314F248159E8568B7A2D775EF55CB60

Function 002A4817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002A489F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002A48B3
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A48D7

Strings

SysMonthCal32, xrefs: 002A486A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f38c6de9e339535489d6095641cc2bbde7c9ab07292a9a18f0c141257e8135b8
Instruction ID: 020d4a8b25ea5b0fa48f333fa1f50d93fcd03e2c65db0fd147ac40a59a7c8569
Opcode Fuzzy Hash: f38c6de9e339535489d6095641cc2bbde7c9ab07292a9a18f0c141257e8135b8
Instruction Fuzzy Hash: EF21D132620219AFDF159F90DC46FEA3BB9EF89714F100214FA156B1D0DAB5EC618BA0

Function 002A4FB2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002A5064
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002A5072
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002A5079

Strings

msctls_updown32, xrefs: 002A4FE3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 09fa3a539e47cbfae27443df038f129d1ec7bec69e2ac6b006f2e117ab44b2bf
Instruction ID: 340a446805651881324976882976681c6b8ee6f1372a4e40d475b473ed4eb3c5
Opcode Fuzzy Hash: 09fa3a539e47cbfae27443df038f129d1ec7bec69e2ac6b006f2e117ab44b2bf
Instruction Fuzzy Hash: 78217AB5610619AFDB10DF24DC85DBB37ACEF9A3A4B100459F9019B2A1CB71EC658BA0

Function 00279E3C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00279EAC

Strings

#notrayicon, xrefs: 00279E46
#OnAutoItStartRegister, xrefs: 00279E82
#requireadmin, xrefs: 00279E68

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f7c796fe9cafc51a27d804ad765df9125e130a62044d10e3dfbbcee632d906fb
Instruction ID: 1bb442d12a2da8fca12545a9ba300eb94f7858e9cf6aa50a5f112a6894235d95
Opcode Fuzzy Hash: f7c796fe9cafc51a27d804ad765df9125e130a62044d10e3dfbbcee632d906fb
Instruction Fuzzy Hash: 4D21D77217031267D320EA299C02FE773E99F56700F148427F98D96585EBB19DE1C791

Function 002A4116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A419F
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A41AF
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A41D5

Strings

Listbox, xrefs: 002A416E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 1cd787d53dbf448fd20bc66bfd6395370a0e65f81c77ea864cd71a414dcd5523
Instruction ID: 2d64a44fd5bf45c26b1f2f52bd09a81f009fd8ac72735cbb381d0b66cafda229
Opcode Fuzzy Hash: 1cd787d53dbf448fd20bc66bfd6395370a0e65f81c77ea864cd71a414dcd5523
Instruction Fuzzy Hash: 1B21C532620219BBDF119F54DC84FEB376EEFDA750F008114F9159B190CAB1DCA28BA0

Function 0028534E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00285362
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002853B6
SetErrorMode.KERNEL32(00000000,?,?,002ADCD0), ref: 0028542A

Strings

%lu, xrefs: 002853C9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f59542f8066a2e34323ee888cf64fa8eacf316b45b9af3a1136cae0a4f3fccb5
Instruction ID: bc1bcec9055866f6a5fc6b6634a7fd8b505bbf823c944ead4596f15f0c21fb8b
Opcode Fuzzy Hash: f59542f8066a2e34323ee888cf64fa8eacf316b45b9af3a1136cae0a4f3fccb5
Instruction Fuzzy Hash: 1531B174A10219AFC710EF54C984EAA7BF8EF09304F1480A4F809DB262DB71ED41CF61

Function 002A4B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002A4BAE
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002A4BC3
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002A4BD0

Strings

msctls_trackbar32, xrefs: 002A4B85

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b65a3e441d46ca478c3a080c83c1ef14f4a0a912d1554eb0a190265ce785c6af
Instruction ID: dce15fdc327b51e537227aae9dc898f0e30cd44667ac121c2d6d0c518400219d
Opcode Fuzzy Hash: b65a3e441d46ca478c3a080c83c1ef14f4a0a912d1554eb0a190265ce785c6af
Instruction Fuzzy Hash: 0D11E331660208BFEF116E65CC46FAB77A8EFC6B18F110915FA55E60A0DAB1DC618B20

Function 002737E1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002184B7: _wcslen.LIBCMT ref: 002184CA

Part of subcall function 00273637: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00273655
Part of subcall function 00273637: GetWindowThreadProcessId.USER32(?,00000000), ref: 00273666
Part of subcall function 00273637: GetCurrentThreadId.KERNEL32 ref: 0027366D
Part of subcall function 00273637: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00273674

GetFocus.USER32 ref: 00273807

Part of subcall function 0027367E: GetParent.USER32(00000000), ref: 00273689

GetClassNameW.USER32(?,?,00000100), ref: 00273852
EnumChildWindows.USER32(?,002738CA), ref: 0027387A

Strings

%s%d, xrefs: 0027388E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0851aba446fd40f4805a8d83e49a25939aedbcf485ba0621a3f6d8f04ddf0b4f
Instruction ID: f44660ea71b0d8d1a43d5048d58dc743ca5c5911a67c755733ed78ddcb7ed482
Opcode Fuzzy Hash: 0851aba446fd40f4805a8d83e49a25939aedbcf485ba0621a3f6d8f04ddf0b4f
Instruction Fuzzy Hash: C911D575210206ABCF11BFB09C85AED376AAF95304F048075BD0D9B292CE7559599F60

Function 002A61E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002A6220
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002A624D
DrawMenuBar.USER32(?), ref: 002A625C

Strings

0, xrefs: 002A61EE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 169f688c328a5af149a0a1d9512f1ec23a449daa128a4328f9beea46443f78c3
Instruction ID: 244668ffc9d5049d1708898c5bb402af3a1265ae5185e6d1ef08505ce2d1a042
Opcode Fuzzy Hash: 169f688c328a5af149a0a1d9512f1ec23a449daa128a4328f9beea46443f78c3
Instruction Fuzzy Hash: FC018075920218AFDB109F51DC88BAA7BB4FF46351F188099F889D6150DF7089A4EF31

Function 0027090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09917fe4e404c722fae7d045eb84ee4e248eff633c2c08a56a6c1fd7a84d356
Instruction ID: 5e523044b75cd75f509b661d28678ec91bb18fdcc0073f06dcd80e97e2a34257
Opcode Fuzzy Hash: d09917fe4e404c722fae7d045eb84ee4e248eff633c2c08a56a6c1fd7a84d356
Instruction Fuzzy Hash: A9C19D75A1021AEFDB04CFA4C884EAEB7B5FF48704F208199E509EB251D731EE95CB90

Function 00244210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0024429B
__alldvrm.LIBCMT ref: 0024449C
__alldvrm.LIBCMT ref: 002444BE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
Instruction ID: 972fd0ec19f495a6c3e5fe35a0a14509f3069e10fb1001ff4bda4f6bfc4ec79d
Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
Instruction Fuzzy Hash: 15A1AE719207879FEB1AEF28C8417AEBFE4EF51310F2841ADE9859B281C3749D61CB50

Function 00293D8B Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00293DB6
CoUninitialize.OLE32 ref: 00293DC0
VariantInit.OLEAUT32(?), ref: 00293DCB
VariantClear.OLEAUT32(?), ref: 00294078

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 928ff8f362ae36e4c6d880d47f6b0fe99b88738617d2ac6f3d57dc4df5dff295
Instruction ID: 642cf840d078a8814da9d6f36703fe397dfca6b5b79ccaa38dd1c0f1eedab6c2
Opcode Fuzzy Hash: 928ff8f362ae36e4c6d880d47f6b0fe99b88738617d2ac6f3d57dc4df5dff295
Instruction Fuzzy Hash: 8BA14C756246119FCB04EF24C485E6ABBE5FF88710F048459F98A9B362CB70ED51CF92

Function 00270CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002B0BD4,?), ref: 00270E80
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002B0BD4,?), ref: 00270E98
CLSIDFromProgID.OLE32(?,?,00000000,002ADCE0,000000FF,?,00000000,00000800,00000000,?,002B0BD4,?), ref: 00270EBD
_memcmp.LIBVCRUNTIME ref: 00270EDE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0bde8ff8fb023a8bca6c4b7ac155c0a58f0aba49f252d7dd3c95a324f3d3aeb2
Instruction ID: 0c7fd088cc0bd4715bbad0b33da9b10c744791a380ba23725f1fc8fe7e95e991
Opcode Fuzzy Hash: 0bde8ff8fb023a8bca6c4b7ac155c0a58f0aba49f252d7dd3c95a324f3d3aeb2
Instruction Fuzzy Hash: F0810D71A10109EFCB14DF94C984EEEB7B9FF89315F208558F506AB250DB71AE4ACB60

Function 00251731 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00251860

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ee17b4e32e15c4bdfc9f697f23a8570435bada5cbea25664b8cbea41fdfaeb0b
Instruction ID: 820f238ff4938448b4d57a796f6cba3c78813c693f1ab14183baabbab6b0d893
Opcode Fuzzy Hash: ee17b4e32e15c4bdfc9f697f23a8570435bada5cbea25664b8cbea41fdfaeb0b
Instruction Fuzzy Hash: BA416971A30111ABEB346FBD9C4AB6E7AA8EF05331F140225FC28D6291D7744C798EA5

Function 00292433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0029245A
WSAGetLastError.WSOCK32 ref: 00292468
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002924E7
WSAGetLastError.WSOCK32 ref: 002924F1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 50c818ebd7050878d5606aa50fdb23ea6c33c8c19a89e4535974a03d264b4021
Instruction ID: 68396c0e267aee83019c84395989d984c1ca56cb5d1f20a33948c8ebc88c6b61
Opcode Fuzzy Hash: 50c818ebd7050878d5606aa50fdb23ea6c33c8c19a89e4535974a03d264b4021
Instruction Fuzzy Hash: D2410438610201BFEB20AF24D896F6A77E4AF14714F54C048F91A9F2D2C772ED91CB91

Function 002A6BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A6C41
ScreenToClient.USER32(?,?), ref: 002A6C74
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002A6CE1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a8ecfbcf2ae1ad14febc2e56519bfd82911e9104da27531f4f745ef3f87abfec
Instruction ID: 7613185e5788cc18f6c3db465c2da0eb226dffb5a33b3f55d34ca6bd5c9da572
Opcode Fuzzy Hash: a8ecfbcf2ae1ad14febc2e56519bfd82911e9104da27531f4f745ef3f87abfec
Instruction Fuzzy Hash: AD517E74A10609EFCF14CF54D9889AE7BB6FF46360F248159F8659B2A0DB30ED91CB90

Function 0024B7BF Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68236623220c9dc9387925dc3a9ab8f1a5c6a7e1c88f735aa60c00b2558b770
Instruction ID: 1bcec1f93e59cc6bddbe89882e3d47d42280771c4ddf814e264ad7b34024883e
Opcode Fuzzy Hash: d68236623220c9dc9387925dc3a9ab8f1a5c6a7e1c88f735aa60c00b2558b770
Instruction Fuzzy Hash: FF411771A20704AFD729AF78CC41BAABBECEF88710F10452AF551DB291D771D9658F80

Function 00286033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002860DD
GetLastError.KERNEL32(?,00000000), ref: 00286103
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00286128
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00286154

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9d2066c3c6c6e46fa80b14fa14a849a183f8665b5223e7ea6113277401ba0476
Instruction ID: 86a16aaacaccca859baf8fce5cc2bd466213e36652763b2898c45d5278529d0b
Opcode Fuzzy Hash: 9d2066c3c6c6e46fa80b14fa14a849a183f8665b5223e7ea6113277401ba0476
Instruction Fuzzy Hash: E6413D39610611DFCB11EF15C488A5EBBE2EF59710B198488ED4AAB362CB30FD51CF91

Function 0024DC63 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00237101,00000000,00000000,00238669,?,00238669,?,00000001,00237101,8BE85006,00000001,00238669,00238669), ref: 0024DCB0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024DD39
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0024DD4B
__freea.LIBCMT ref: 0024DD54

Part of subcall function 00243BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00236A99,?,0000015D,?,?,?,?,002385D0,000000FF,00000000,?,?), ref: 00243BE2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f426cfd3ad5922776f74d3cfc787be73e6f7cd56116dd2bdb062f30e6bf867ed
Instruction ID: eaf16f6b0126b8099dbe8afeb48a2135e5b13ce0f28fec1eb229e7aafcf56903
Opcode Fuzzy Hash: f426cfd3ad5922776f74d3cfc787be73e6f7cd56116dd2bdb062f30e6bf867ed
Instruction Fuzzy Hash: A731DE72A2020AABDF299F64DC85EAE7BA5EF01710F144169FC05D7190EB35DD64CBA0

Function 0027B333 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0027B388
SetKeyboardState.USER32(00000080), ref: 0027B3A4
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0027B412
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0027B464

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f4545529bf940f488f78f9962222c4eac564c0da09e1bc79075a02e3f441bc94
Instruction ID: fba2bc4895bac6612eaa9c8f78443ca21d5b82fd36dc5a87821599ab4b37db18
Opcode Fuzzy Hash: f4545529bf940f488f78f9962222c4eac564c0da09e1bc79075a02e3f441bc94
Instruction Fuzzy Hash: 7C316B31A60209AFFF228F25CC297FE7BA5EB45310F04C25AF499921D1C3B489A5C7A1

Function 002A5C20 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 002A5CB1
GetWindowLongW.USER32(?,000000F0), ref: 002A5CD4
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A5CE1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A5D07

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: da8126bef6ce8bf34cb30975405eaf9b37adc07906d82286252ad999cd936dd4
Instruction ID: 2aa849d2c8095458d4804008adf4f9f04b544ac2fdd34d40e381c683798bd9bc
Opcode Fuzzy Hash: da8126bef6ce8bf34cb30975405eaf9b37adc07906d82286252ad999cd936dd4
Instruction Fuzzy Hash: 7931E634A71A2AFFEB249F14DC49BEA77A6EB06320F144103FA12561E1CFB569609B41

Function 0027B478 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0027B4CD
SetKeyboardState.USER32(00000080,?,00008000), ref: 0027B4E9
PostMessageW.USER32(00000000,00000101,00000000), ref: 0027B550
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0027B5A2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 93318404701450f192d41888a12f0182fa4f5ac427b0a2af7376b77e6d2bd466
Instruction ID: 09bba7c3ed215c39fd6e6ac80fc4aeb550e3d60330425c7a2f7648c7c6f6c285
Opcode Fuzzy Hash: 93318404701450f192d41888a12f0182fa4f5ac427b0a2af7376b77e6d2bd466
Instruction Fuzzy Hash: D1312B70E60259AEFF368F24C8097FE7BB6AF85320F84C21AE489561D1C3748A65C751

Function 002A2039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A204A

Part of subcall function 002742CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 002742E6
Part of subcall function 002742CC: GetCurrentThreadId.KERNEL32 ref: 002742ED
Part of subcall function 002742CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00272E43), ref: 002742F4

GetCaretPos.USER32(?), ref: 002A205E
ClientToScreen.USER32(00000000,?), ref: 002A20AB
GetForegroundWindow.USER32 ref: 002A20B1

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 269be63b173f4f1b882b2c576822248271a694045c48e0018786b8f3b5ca705f
Instruction ID: 83867a570c106749c87f3ef4c465e74aa25d6095906dccaada4bb3fb679675e3
Opcode Fuzzy Hash: 269be63b173f4f1b882b2c576822248271a694045c48e0018786b8f3b5ca705f
Instruction Fuzzy Hash: AB313071E10109AFCB04EFA9C8858EEB7F8EF59304B5084AAE515E7211DB719E55CF90

Function 0027E7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00214154: _wcslen.LIBCMT ref: 00214159

_wcslen.LIBCMT ref: 0027E7F7
_wcslen.LIBCMT ref: 0027E80E
_wcslen.LIBCMT ref: 0027E839
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0027E844

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 68b25aef8e95d9cdbbf3650b7e81d7f601f300c5c4773cf65da5c54fbb64daa5
Instruction ID: cb60579b33f428f6ee7a9e7ab4af67e101115b0eef91e5291705e574612a0ee6
Opcode Fuzzy Hash: 68b25aef8e95d9cdbbf3650b7e81d7f601f300c5c4773cf65da5c54fbb64daa5
Instruction Fuzzy Hash: F321E7B1D10215AFCF10EFA8C981BAEB7F8EF56350F1541A5E808AB251D6709E51CBB1

Function 0027DC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0027DCC1
Process32FirstW.KERNEL32(00000000,?), ref: 0027DCCF
Process32NextW.KERNEL32(00000000,?), ref: 0027DCEF
CloseHandle.KERNEL32(00000000), ref: 0027DD9C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 63e4b20b3554a1b76d36eaae271f3f3e9b2431d2d7b217b533e454961eb02819
Instruction ID: 9d5cb100e7d155f2e63ecc57eb734e90da1742f9962bda0ddacf55ee34f506f6
Opcode Fuzzy Hash: 63e4b20b3554a1b76d36eaae271f3f3e9b2431d2d7b217b533e454961eb02819
Instruction Fuzzy Hash: FA318F72118301AFC311EF60D885AAFBBF8AF99350F04096DF585861A1EB719995CB92

Function 002A9928 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

GetCursorPos.USER32(?), ref: 002A9960
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002A9975
GetCursorPos.USER32(?), ref: 002A99BD
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 002A99F3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c20051722efb8414667375508e697474914177e3e58fc70bcea8498b31ccd8d3
Instruction ID: 60f658d8d09e767a50872429beb8bb1c61439e49aef85debb65776753b1bc0d6
Opcode Fuzzy Hash: c20051722efb8414667375508e697474914177e3e58fc70bcea8498b31ccd8d3
Instruction Fuzzy Hash: 3C21B135520129FFCB158F59DC89EEB7BB9EB0A310F10405AF9064A161DB31ADA0DB60

Function 0027DA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002ADC30), ref: 0027DABB
GetLastError.KERNEL32 ref: 0027DACA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0027DAD9
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002ADC30), ref: 0027DB36

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 73d58fef8066f247c4871eba31249ca46a3ac8ac408e7572408c8777d2f47bb9
Instruction ID: 46e3a6796682884b7663ea0b5422a395b2faddfcfcac2a9704f90403f34eb308
Opcode Fuzzy Hash: 73d58fef8066f247c4871eba31249ca46a3ac8ac408e7572408c8777d2f47bb9
Instruction Fuzzy Hash: 902171305282019FC700DF28D9859AAB7F4EE66368F148A5DF49EC72A1DB30DD59CB52

Function 00271E01 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002718A4: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002718BA
Part of subcall function 002718A4: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002718C6
Part of subcall function 002718A4: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002718D5
Part of subcall function 002718A4: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002718DC
Part of subcall function 002718A4: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002718F2

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00271E4E
_memcmp.LIBVCRUNTIME ref: 00271E71
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00271EA7
HeapFree.KERNEL32(00000000), ref: 00271EAE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6a8d69560a5b0adc5b52162c8918b5b1efa2de2602bb040ae98e3c46d146c40c
Instruction ID: 75ebf0952af06f679635689ed7b2b80d50eccfa9d9b316193036d485796aba1d
Opcode Fuzzy Hash: 6a8d69560a5b0adc5b52162c8918b5b1efa2de2602bb040ae98e3c46d146c40c
Instruction Fuzzy Hash: 33217171E20109EFDB10DFA8C945BEEB7B9EF84344F158059E859A7291D730AA25CF50

Function 002A30E1 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002A3169
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A3183
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A3191
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002A319F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: caf3167c4b5f48e7ee4ee46758beaa96e6d014fca8454d2d38b250948d7e984c
Instruction ID: 3f38dc9276f6ffbddf3b7b69ccec6131f59f6ab048245398d5b2b49a6714fcf3
Opcode Fuzzy Hash: caf3167c4b5f48e7ee4ee46758beaa96e6d014fca8454d2d38b250948d7e984c
Instruction Fuzzy Hash: 6621C131628111AFE704DF14DC45FAABB99EF86324F148158F46A8B6D2CF71ED92CB90

Function 00278184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0027960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00278199,?,000000FF,?,00278FE3,00000000,?,0000001C,?,?), ref: 0027961B
Part of subcall function 0027960C: lstrcpyW.KERNEL32(00000000,?,?,00278199,?,000000FF,?,00278FE3,00000000,?,0000001C,?,?,00000000), ref: 00279641
Part of subcall function 0027960C: lstrcmpiW.KERNEL32(00000000,?,00278199,?,000000FF,?,00278FE3,00000000,?,0000001C,?,?), ref: 00279672

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00278FE3,00000000,?,0000001C,?,?,00000000), ref: 002781B2
lstrcpyW.KERNEL32(00000000,?,?,00278FE3,00000000,?,0000001C,?,?,00000000), ref: 002781D8
lstrcmpiW.KERNEL32(00000002,cdecl,?,00278FE3,00000000,?,0000001C,?,?,00000000), ref: 00278213

Strings

cdecl, xrefs: 0027820A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0cd27c3f73bff83f9b4713c46c4a7c4d5b688de61440e1cd5d06c0baddf575f1
Instruction ID: f78b9cac599ab3cde8c8a2911c717d7d9cc93bf7646cdffed32be4949fb1bf60
Opcode Fuzzy Hash: 0cd27c3f73bff83f9b4713c46c4a7c4d5b688de61440e1cd5d06c0baddf575f1
Instruction Fuzzy Hash: 0711087A210342ABCB145F38D859E7A77A9FF99350B50802AFD4ACB650EF719821C7A1

Function 002A8621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002A866A
SetWindowLongW.USER32(00000000,000000F0,?), ref: 002A8689
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002A86A1
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0028C10A,00000000), ref: 002A86CA

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c17042c4eaf52f3c5e73601de3b422c5dc9aa26499d11c6997b2dca89b9f8538
Instruction ID: 398a3a021b0eb2d1bff9c2273d089d98faa516eb18bf0f1b4bc0d2af937e4016
Opcode Fuzzy Hash: c17042c4eaf52f3c5e73601de3b422c5dc9aa26499d11c6997b2dca89b9f8538
Instruction Fuzzy Hash: 7911B7315206659FDB108F29DC48AA637A9FB46770F154724F936DB2F0DF309921CB50

Function 00242099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafc0c58beb02425e411bea9dcbeaa41025dd823eee014b3d781539f8e2344b7
Instruction ID: 58469b73752343df80b017748b301d8345b9dd7e1747d6998e15344c26d89727
Opcode Fuzzy Hash: bafc0c58beb02425e411bea9dcbeaa41025dd823eee014b3d781539f8e2344b7
Instruction Fuzzy Hash: DD012BB2625216FEF7252A797CC1F27674DDF52374B700325F529611D2DE708C644970

Function 002722B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002722D7
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002722E9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002722FF
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027231A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d6589844c9328338d0dc2f8ffc6be3c388b713493d8cda10948c251cadf5958d
Instruction ID: 89c4238a7c6a56ab7680291da95c8a53ecad21b76035e406d88fe3331f019085
Opcode Fuzzy Hash: d6589844c9328338d0dc2f8ffc6be3c388b713493d8cda10948c251cadf5958d
Instruction Fuzzy Hash: AA11097AD00219FFEB119BA5CD85F9EFBB8EB08750F204091EA05B7290D6716E10DB94

Function 002AA852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00212441: GetWindowLongW.USER32(00000000,000000EB), ref: 00212452

GetClientRect.USER32(?,?), ref: 002AA890
GetCursorPos.USER32(?), ref: 002AA89A
ScreenToClient.USER32(?,?), ref: 002AA8A5
DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 002AA8D9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9719c145968d96c10661320f3c1b6697deccff35eb10a4f31814a027df7d8e91
Instruction ID: 9d8b8cfceb930ababdb1101f7e122bb7ed670e1b74c947d8787f99e7549a3117
Opcode Fuzzy Hash: 9719c145968d96c10661320f3c1b6697deccff35eb10a4f31814a027df7d8e91
Instruction Fuzzy Hash: 3711367191111AEFDF14DF98E8899EE77B8EF06301F100455F912E2150DB78AAA2CBA2

Function 0027EA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0027EA29
MessageBoxW.USER32(?,?,?,?), ref: 0027EA5C
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0027EA72
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0027EA79

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: b4ab916ac42c5d2ab88c29c23054b9d96ef029e2fc07af809c3459ad525436c9
Instruction ID: c3223c353d6001f3e90e56c5fa0f6d88b4a0bf117c4c759b25fb8ceaff71dc44
Opcode Fuzzy Hash: b4ab916ac42c5d2ab88c29c23054b9d96ef029e2fc07af809c3459ad525436c9
Instruction Fuzzy Hash: F7114275910259FFCB01DF68AC4D99F7F6DAB46310F018196F82AE3290D674CD148BB0

Function 0023D55C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0023D389,00000000,00000004,00000000), ref: 0023D5A8
GetLastError.KERNEL32 ref: 0023D5B4
__dosmaperr.LIBCMT ref: 0023D5BB
ResumeThread.KERNEL32(00000000), ref: 0023D5D9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: fed05242fb2a540d34acf816eb4ff04777b3f94ae33cd1c78d9c868bf012cb61
Instruction ID: 80b3526e2d70d1368ab892538e75b21fee00699999e7a986799d3e75420868b1
Opcode Fuzzy Hash: fed05242fb2a540d34acf816eb4ff04777b3f94ae33cd1c78d9c868bf012cb61
Instruction Fuzzy Hash: B501F9F2820205BBCB215FA5FC09F9A7B6CDF82335F500359F925821E0CF708824CAA1

Function 0021771B Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00217759
GetStockObject.GDI32(00000011), ref: 0021776D
SendMessageW.USER32(00000000,00000030,00000000), ref: 00217777

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1132fea449c97e945e460dabf506aef7290eea4f1eb4e1a01a2ba3ab245c2f40
Instruction ID: aa0a11c986da9530ceeb9daeed8c8c7dd29cd9632cd275e0b665988dc3dd0eb8
Opcode Fuzzy Hash: 1132fea449c97e945e460dabf506aef7290eea4f1eb4e1a01a2ba3ab245c2f40
Instruction Fuzzy Hash: 5A11AD7251554ABFEF064F90EC88EEAFBB9EF59364F000115FA1552050DB319CA1EBA0

Function 00243403 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,002433AA,00000364,00000000,00000000,00000000,?,0024361B,00000006,FlsSetValue), ref: 00243435
GetLastError.KERNEL32(?,002433AA,00000364,00000000,00000000,00000000,?,0024361B,00000006,FlsSetValue,002B3260,FlsSetValue,00000000,00000364,?,002431D6), ref: 00243441
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002433AA,00000364,00000000,00000000,00000000,?,0024361B,00000006,FlsSetValue,002B3260,FlsSetValue,00000000), ref: 0024344F

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cd45c1d57cd6b9f32afdaf26b91553d4cfbfc4012fbcd55b1e466962cd1cb32e
Instruction ID: 3bcda7a9d74b2ef6e909b9820fa92387e799524876d14eba7976b204f613566b
Opcode Fuzzy Hash: cd45c1d57cd6b9f32afdaf26b91553d4cfbfc4012fbcd55b1e466962cd1cb32e
Instruction Fuzzy Hash: 6101AC32621623EBCB26CF79BC48AD67B58AF45BB17110720F90AD7150DB24D951C6E0

Function 00277CF3 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00277D0E
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00277D26
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00277D3B
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00277D59

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a979efabd3b274ab1865d8f1aade725228e670e51f9a840df07b0498efe9b1f5
Instruction ID: 78a41bc881d5e30f526c466278562958ba333a78af985f3757aa4f2273c8fa9f
Opcode Fuzzy Hash: a979efabd3b274ab1865d8f1aade725228e670e51f9a840df07b0498efe9b1f5
Instruction Fuzzy Hash: 90116DB1229701ABE7309F24EC09BA27BFCEF04B00F108569A51AD6550D7B0E914DBA0

Function 0027B984 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027B5AF,?,00008000), ref: 0027B9A0
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027B5AF,?,00008000), ref: 0027B9C5
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0027B5AF,?,00008000), ref: 0027B9CF
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0027B5AF,?,00008000), ref: 0027BA02

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 41391b4dff15886206fd9adadab8b7eaa05745412b1db5e48c95a44fc9def7b4
Instruction ID: 51bd5fb09fb258bd3d8ecd9e5f6d326ce571351cfaeca823079010da4de787c2
Opcode Fuzzy Hash: 41391b4dff15886206fd9adadab8b7eaa05745412b1db5e48c95a44fc9def7b4
Instruction Fuzzy Hash: A8115E31C11629E7CF01AFE4E948BEDBB78FF09711F108095DA49B2140DB709661CB55

Function 002A8773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002A8792
ScreenToClient.USER32(?,?), ref: 002A87AA
ScreenToClient.USER32(?,?), ref: 002A87CE
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002A87E9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: fb0b0da7aa3a7ee46ef4be5a88212d008cce5054f69768cfdebb1de508690f0d
Instruction ID: 93d27a5ca8682ceb7d5d9e123e637884f40ca3179e1554953c6bd470cddf1e31
Opcode Fuzzy Hash: fb0b0da7aa3a7ee46ef4be5a88212d008cce5054f69768cfdebb1de508690f0d
Instruction Fuzzy Hash: A81144B9D0020AEFDB41CF98D8849EEBBF9FB09310F104166E915E3610DB35AA54CF50

Function 00273637 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00273655
GetWindowThreadProcessId.USER32(?,00000000), ref: 00273666
GetCurrentThreadId.KERNEL32 ref: 0027366D
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00273674

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 4efdbf59057b73e0d1f22c765dcf36d640fa36739729300a3d104bb7ce85f719
Instruction ID: 2e9bed350990a61f807816cc350f76d4295b6f9efe28d80c819e6cd883765ccc
Opcode Fuzzy Hash: 4efdbf59057b73e0d1f22c765dcf36d640fa36739729300a3d104bb7ce85f719
Instruction Fuzzy Hash: F5E06D71111224BBDB205B66AC4DEEB7F6CDB53BA1F400019F10AD21909AA0C940D2B4

Function 002A91C2 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00211ED9: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00211F33
Part of subcall function 00211ED9: SelectObject.GDI32(?,00000000), ref: 00211F42
Part of subcall function 00211ED9: BeginPath.GDI32(?), ref: 00211F59
Part of subcall function 00211ED9: SelectObject.GDI32(?,00000000), ref: 00211F82

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002A91E6
LineTo.GDI32(?,?,?), ref: 002A91F3
EndPath.GDI32(?), ref: 002A9203
StrokePath.GDI32(?), ref: 002A9211

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c358d1c6ed68b6dd8753b7030ddee9513703a829376de5b24518f0b2772f25cf
Instruction ID: 47b5cda45e818a99bbe1deaf1f88034de45d3dfa86598e011cdd0e322d8cfcfa
Opcode Fuzzy Hash: c358d1c6ed68b6dd8753b7030ddee9513703a829376de5b24518f0b2772f25cf
Instruction Fuzzy Hash: 16F03A31091299BBDB125F55AC0DFCA3A59AF16310F148100FA12250E28B755566CFA9

Function 00212150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0021216C
SetTextColor.GDI32(?,?), ref: 00212176
SetBkMode.GDI32(?,00000001), ref: 00212189
GetStockObject.GDI32(00000005), ref: 00212191

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 18554da4c0b406096d30d0704961ccd616b7066588a2bd07888e0cd25b474c0d
Instruction ID: 3122b2e944fda2cae7de2978ab24023b6416afe6803652bb434832b069b3b76f
Opcode Fuzzy Hash: 18554da4c0b406096d30d0704961ccd616b7066588a2bd07888e0cd25b474c0d
Instruction Fuzzy Hash: C2E06531640240AFDB215F74BC0D7D87B60AB13336F048219F7BF440E1C77146559B10

Function 00271EBB Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00271EC4
OpenThreadToken.ADVAPI32(00000000,?,?,?,00271A69), ref: 00271ECB
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00271A69), ref: 00271ED8
OpenProcessToken.ADVAPI32(00000000,?,?,?,00271A69), ref: 00271EDF

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b3aa172f14a3ecf77f820d437abaf064a4b4e390cd303122b4cbe71a7bdb487a
Instruction ID: db3e1df4203402ce93b66e7035a3d3e1f9bf2902bb60bcc65accdc31b7085172
Opcode Fuzzy Hash: b3aa172f14a3ecf77f820d437abaf064a4b4e390cd303122b4cbe71a7bdb487a
Instruction Fuzzy Hash: 8CE086356012129BE7301FA4BD0DB973B7CAF42791F108848B686C9080DA348455CB50

Function 0026EBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026EBD6
GetDC.USER32(00000000), ref: 0026EBE0
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026EC00
ReleaseDC.USER32(?), ref: 0026EC21

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f2033fe05564feee0ce1e70d17fb86ff892f1b9d1e8c7e2ea641b24ad8c3c09a
Instruction ID: 975ca761881c72a5325fa873844f4bc758db6115aad981319804edbee54c65af
Opcode Fuzzy Hash: f2033fe05564feee0ce1e70d17fb86ff892f1b9d1e8c7e2ea641b24ad8c3c09a
Instruction Fuzzy Hash: 4AE01AB4810201EFCF50AFA0B80CA6DBBB9FB08710F118449E94BA7610CB785951EF00

Function 0026EBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0026EBEA
GetDC.USER32(00000000), ref: 0026EBF4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0026EC00
ReleaseDC.USER32(?), ref: 0026EC21

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f0c692a13050fd4dfb3775e9d010180dc124bd2d44895c4fd835bfa6dc62c7cb
Instruction ID: 2f443743465fadbca5e3a46aae7a03235af60bfaccd05a3edce15aff0082e73d
Opcode Fuzzy Hash: f0c692a13050fd4dfb3775e9d010180dc124bd2d44895c4fd835bfa6dc62c7cb
Instruction Fuzzy Hash: 35E012B0C10200EFCF50AFA0B80CAADBBB9BB08710F118449E94AA3610CB389901EF00

Function 002856E1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00214154: _wcslen.LIBCMT ref: 00214159

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 0028582E

Strings

LPT, xrefs: 00285755
*, xrefs: 0028576A

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 4f0709ad4d451895140a8d39d948f9d22829ea1b039fa0fa8437b8688b977434
Instruction ID: ab0f3addf52b30a91f81bb5ba26fc6a5eb9548d414be846e4a36ffc407cb33ae
Opcode Fuzzy Hash: 4f0709ad4d451895140a8d39d948f9d22829ea1b039fa0fa8437b8688b977434
Instruction Fuzzy Hash: E491A078A11615DFCB14EF54C484EAABBF1AF48314F188099E8495F3A2C771EE95CF90

Function 0027562E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 002757DA

Strings

0$., xrefs: 0027587D
Container, xrefs: 00275749

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ContainedObject
String ID: 0$.$Container
API String ID: 3565006973-574371399
Opcode ID: 0cf49e2ec9815343fb210d47017d520ca02a2b1b3bb5eab7b56d992f553c712c
Instruction ID: cd1601e758324dc2edf618459360d7053594f3a1f5fedd5365828608fe51add1
Opcode Fuzzy Hash: 0cf49e2ec9815343fb210d47017d520ca02a2b1b3bb5eab7b56d992f553c712c
Instruction Fuzzy Hash: 76815870610611AFDB54CF64C884A6ABBF9FF48704F10856EF94ACB691DBB1E891CF50

Function 0023E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0023E69D

Strings

pow, xrefs: 0023E675, 0023E692

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2424fb9435a2c98ec52cd9d4375da5858e11f1c4ea02011c4a98f464c7d28728
Instruction ID: 9b44949dc2eec9df3f736348123fb5ae4cb1aa0fb46360d426db9d6f47bb7cf3
Opcode Fuzzy Hash: 2424fb9435a2c98ec52cd9d4375da5858e11f1c4ea02011c4a98f464c7d28728
Instruction Fuzzy Hash: 605190A1D3810396CF19BF14DD4637E67A8AB50B00F314A59F0DA422E9EF748CF99E46

Function 0022A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0022A896

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 449f19c0baebac1d44ca0942a3376eb742e86fc31bd0968186c2d5c8396fc941
Instruction ID: dc109b4dece296c4d3cc4271880c66c8b67edf9c21ef1594b9d0fe6cdc0bc9a3
Opcode Fuzzy Hash: 449f19c0baebac1d44ca0942a3376eb742e86fc31bd0968186c2d5c8396fc941
Instruction Fuzzy Hash: 14514031524257EFCF25DF68E480AFA7BA1EF25310F684155E8919B290DE309DE2CB61

Function 0022F6D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0022F6E9
GlobalMemoryStatusEx.KERNEL32(?), ref: 0022F702

Strings

@, xrefs: 0022F6F6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 960e1731b1e5ab6de372716edb2259eb52e645afdade93bd88858652f46392b3
Instruction ID: a289211a02bc99aad15d3116ef1d9d984ac96785d74f05406b9d90320be625ac
Opcode Fuzzy Hash: 960e1731b1e5ab6de372716edb2259eb52e645afdade93bd88858652f46392b3
Instruction Fuzzy Hash: F15137715187449BD360AF10EC86BABBBE8FFA4310F81885DF299411A1DF708579CB66

Function 002960A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0029613D
_wcslen.LIBCMT ref: 00296149

Strings

CALLARGARRAY, xrefs: 00296143, 00296148

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 0c178ddd1942497eec64d558d887dd684dfcabafdc1e313503ae452177a81d3f
Instruction ID: 638f03c550f1a30a88453f15a927e346302d6316f510dc58ca4d0f244c75bf3d
Opcode Fuzzy Hash: 0c178ddd1942497eec64d558d887dd684dfcabafdc1e313503ae452177a81d3f
Instruction Fuzzy Hash: 7F418371A202199FCF04EFA8C8998EEBBF5EF59320F144069E50AA7352D7709DA1CF50

Function 0028DA51 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028DA8D
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0028DA97

Strings

|, xrefs: 0028DA68

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e49ffe0bf0df2a0f8b913b8c05c9787d4a4b328fed408972ae2ce641e7296393
Instruction ID: 2d3e0a58dec61ed18ae5ece6b8e15f6e459d604ec766727aa823450c9ef0b70d
Opcode Fuzzy Hash: e49ffe0bf0df2a0f8b913b8c05c9787d4a4b328fed408972ae2ce641e7296393
Instruction Fuzzy Hash: 6B313E75811119ABCF05EFA5DC85EEEBFB9FF14304F100019F815A62A2DB319966CF54

Function 002A4E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002A4F7E
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A4F93

Strings

', xrefs: 002A4EED

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 799b21943059123dba1653152f987ab54d9d26dc9bd90ac3b8ccdcdfb915675e
Instruction ID: 305615d2e774d370821084277cc82290feaadef38bb5b87a273187f3cb19a86e
Opcode Fuzzy Hash: 799b21943059123dba1653152f987ab54d9d26dc9bd90ac3b8ccdcdfb915675e
Instruction Fuzzy Hash: 04314874A1020A9FDB04DFA9C880BDABBB5FB89300F10106AE905EB751DBB0E951CF90

Function 002A3B4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A3BDB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A3BE6

Strings

Combobox, xrefs: 002A3BA8

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f7b5015df44f54e9b3fa972f3e24dda4ea0062799c164e5440b599edb858b286
Instruction ID: 1b26fb66edbfd91874c8492c27c6d03e3a6bae9ee46dff2b46ffa1a4d3ba8cb8
Opcode Fuzzy Hash: f7b5015df44f54e9b3fa972f3e24dda4ea0062799c164e5440b599edb858b286
Instruction Fuzzy Hash: D61193712201096FEF21DE18CC81EBB37ABEB863A8F104525F51497291DA71DD618BB0

Function 002A406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0021771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00217759
Part of subcall function 0021771B: GetStockObject.GDI32(00000011), ref: 0021776D
Part of subcall function 0021771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00217777

GetWindowRect.USER32(00000000,?), ref: 002A40D9
GetSysColor.USER32(00000012), ref: 002A40F3

Strings

static, xrefs: 002A40B6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 306294f4701363dd7aa5706b817575c5add080576291836d38eb5941da97587a
Instruction ID: bd6a6e6a64e7bdc31fd6ae0a5c79a9a22259259a351783f857f5eac451862519
Opcode Fuzzy Hash: 306294f4701363dd7aa5706b817575c5add080576291836d38eb5941da97587a
Instruction Fuzzy Hash: E1113A7262020AAFDB00EFB8CC45AFA7BF8FB49314F004915F956E3150EA74E861DB60

Function 0028D67B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0028D6DA
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0028D703

Strings

<local>, xrefs: 0028D6C3

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0841dcf1e9f08fdbd4fdbc0d6d364d50fee7fdb7a5ef0a3605e760f56296a849
Instruction ID: 23bf37a30a381e732a46a282f0e01b6d86cd373bd46b969a92d8679e099e6d6c
Opcode Fuzzy Hash: 0841dcf1e9f08fdbd4fdbc0d6d364d50fee7fdb7a5ef0a3605e760f56296a849
Instruction Fuzzy Hash: 40110A75126236BAD7285F66AC48EE7BF9CEB127A4F004216B10DC31C0E7A09C54C7F0

Function 002A3D88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A3E0A
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A3E19

Strings

edit, xrefs: 002A3DEE

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f585f79a5d28a584a2b33cf82d60d77847efd541d78ac6206725e545e1ceabe7
Instruction ID: 575f06321fe500298e11895afcf54bdb8f6dfcb5c2b831407ab39f993f3edb8d
Opcode Fuzzy Hash: f585f79a5d28a584a2b33cf82d60d77847efd541d78ac6206725e545e1ceabe7
Instruction Fuzzy Hash: 76114C71520609EBEB109E64EC84AFB3BA9EF17368F504714F961971E0CB71EC619B60

Function 00277515 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

CharUpperBuffW.USER32(?,?,?), ref: 00277545
_wcslen.LIBCMT ref: 00277551

Strings

STOP, xrefs: 0027754B, 00277550

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 23ca1b8acac2e91d96cb40036b798c9232ef32d84fd458b5cb0fb1dd4c253b39
Instruction ID: 024ab7a0b0c90dbea820590a137e0ed9399c4433a146bfdbf84c3dc54eb43d89
Opcode Fuzzy Hash: 23ca1b8acac2e91d96cb40036b798c9232ef32d84fd458b5cb0fb1dd4c253b39
Instruction Fuzzy Hash: B901C832A341274BCB10AFBDDC459BF77B5BB657507504524EC1596191FB30DD60CB50

Function 0027256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002725DC

Strings

ComboBox, xrefs: 0027257B
ListBox, xrefs: 002725A6

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 14ce02f468b9ab0aa0a1aa9ca1b10fda519f0a00072c79bd9daab02d5f899543
Instruction ID: 4db3f3c09a81bbfb899915bbad299cae9f1cfeb300cf6f56bb35e29fe5207ce3
Opcode Fuzzy Hash: 14ce02f468b9ab0aa0a1aa9ca1b10fda519f0a00072c79bd9daab02d5f899543
Instruction Fuzzy Hash: 7301F571A20115EBCB09FBA4CC65CFE77B4EF62310B44460AE866933D2EB30982C8A50

Function 00272468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,00000180,00000000,?), ref: 002724D6

Strings

ComboBox, xrefs: 00272475
ListBox, xrefs: 002724A0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8577cb9ccb0e893f579381e1efa0fe82d285d22a7698f56c0079218be17801bf
Instruction ID: 8ee43eb8b142cd4966c0dda9ea9b7eaa3a2de53ae92492150db13199261c1d15
Opcode Fuzzy Hash: 8577cb9ccb0e893f579381e1efa0fe82d285d22a7698f56c0079218be17801bf
Instruction Fuzzy Hash: CD01FC71A20105A7CB19FBA0CC25EFF77F89F21304F14401AA40663282DB709E2CCA71

Function 002724EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,00000182,?,00000000), ref: 00272558

Strings

ComboBox, xrefs: 002724F9
ListBox, xrefs: 00272524

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ea7e0fd17f8f188ef2692af60ed8fef50c3ca1fd472be9a7d281364ce865db9f
Instruction ID: 8cd513efe32c3f0b4da25bfbdf49b5a07a204bb992ba9ee7a7980dc02cf97759
Opcode Fuzzy Hash: ea7e0fd17f8f188ef2692af60ed8fef50c3ca1fd472be9a7d281364ce865db9f
Instruction Fuzzy Hash: 7201F771A20105A7CB19FBA0C915EFE73F89B21700F544116B80673282EA709E2C8A71

Function 002725F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021B25F: _wcslen.LIBCMT ref: 0021B269

Part of subcall function 00274536: GetClassNameW.USER32(?,?,000000FF), ref: 00274559

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00272663

Strings

ComboBox, xrefs: 00272605
ListBox, xrefs: 00272630

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cacf20f29c19c2146f747ada9dd24ba8e55a08539e0afd404c9b956f625bf18a
Instruction ID: d1b9555b22c17ff652928c9e860679c0c9541e6289a6c2505e50dedecfb51a4d
Opcode Fuzzy Hash: cacf20f29c19c2146f747ada9dd24ba8e55a08539e0afd404c9b956f625bf18a
Instruction Fuzzy Hash: C4F0A971A70115A7C715F7A49C55FFF77BCAF21714F040616F566632C2DB70582C8650

Function 002A8AD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E4018,002E405C), ref: 002A8B1E
CloseHandle.KERNEL32 ref: 002A8B30

Strings

\@., xrefs: 002A8AE9

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \@.
API String ID: 3712363035-3058191372
Opcode ID: 18de5bc018971de270630f2376c06739bb164783154354b31e118b93b29509ea
Instruction ID: 23df410bf840b565788d0eff88ec523b5bf95e72d9964049434a63c1e8d54543
Opcode Fuzzy Hash: 18de5bc018971de270630f2376c06739bb164783154354b31e118b93b29509ea
Instruction Fuzzy Hash: 87F05EF2990344BBE7207B62FC8AFB73A5CDB05750F400471BB08DA192DA754C649AB8

Function 00243A7F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

j3+, xrefs: 00243AA5
O<$, xrefs: 00243A81

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID:
String ID: O<$$j3+
API String ID: 0-1511095827
Opcode ID: 3cbdd5bf4fe050d8186c4e7828ccca536139a39f9615304acab049e74eb0df74
Instruction ID: ffad6d723ee41c3f395edaf7918bd9d75400b95e03bcf535765b8b978a3a85f0
Opcode Fuzzy Hash: 3cbdd5bf4fe050d8186c4e7828ccca536139a39f9615304acab049e74eb0df74
Instruction Fuzzy Hash: D6F09025264169AADB18DF91D804AFA73A8DF04710F50446AFD8AC7180EA708FA0D365

Function 00297DDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00297DF0
_wcslen.LIBCMT ref: 00297E16

Strings

3, 3, 16, 1, xrefs: 00297DE0

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 77d5f58b8740d8b7b23292a81d3fba1022bcbbdfac6d2ead212f4ba20b013733
Instruction ID: a2834e2949f8f574ab11d257c9752756c323524c53435d37da129d6b22def4e6
Opcode Fuzzy Hash: 77d5f58b8740d8b7b23292a81d3fba1022bcbbdfac6d2ead212f4ba20b013733
Instruction Fuzzy Hash: 4DE02B4133531121D63426799CC25BB5189DFCA790B102CABF9C5C2276EA809CB283A0

Function 002713A5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002713B3

Strings

Error allocating memory., xrefs: 002713AC
AutoIt, xrefs: 002713A7

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 77446b1f22eb49bad2938d24cfd8d4f79a966e8c2d6cb0ea46e78a098ddb1f8f
Instruction ID: 510733fe9883a27d5556721222519f964f8d428609b1045bb98cba187dbc856b
Opcode Fuzzy Hash: 77446b1f22eb49bad2938d24cfd8d4f79a966e8c2d6cb0ea46e78a098ddb1f8f
Instruction Fuzzy Hash: 74E0D87226831537D21027947C47FC976848F06F11F104417F68D549C28EE164B04BA9

Function 002310D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0022FAE2: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00231102,?,?,?,0021100A), ref: 0022FAE7

IsDebuggerPresent.KERNEL32(?,?,?,0021100A), ref: 00231106
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0021100A), ref: 00231115

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00231110

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 32ca628fd8d6f0463d9961c17a7238d12af39d4ab4f6bb084d34ecdb9bc7a2e9
Instruction ID: 99ab4fa2fcbd516fde4705eeeef45e008e45f40e6e2cb9c7ea530f5315b1f5e9
Opcode Fuzzy Hash: 32ca628fd8d6f0463d9961c17a7238d12af39d4ab4f6bb084d34ecdb9bc7a2e9
Instruction Fuzzy Hash: 58E06DB06203108BD3209F24E9487C3BBF4AB08340F00896DE88AC2651EBB4E4A8CF91

Function 0022F0C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0022F102

Strings

85., xrefs: 0022F0F7
05., xrefs: 0022F0E2

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Init_thread_footer
String ID: 05.$85.
API String ID: 1385522511-1686519407
Opcode ID: ccaa1d7bdb66c156898a97e8deded04d29dff820943503000e1f5e2d60086ee7
Instruction ID: 759fe621268d1c3b85196654657ff21cb52b406ebb1137c215d9356dcb132531
Opcode Fuzzy Hash: ccaa1d7bdb66c156898a97e8deded04d29dff820943503000e1f5e2d60086ee7
Instruction Fuzzy Hash: 13E0DF310B0AE0EBC604DB58F98C9983360EB0D322BD001B9E4029B296DB201B618A18

Function 002838ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00283905
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0028391A

Strings

aut, xrefs: 0028390E

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e18cf3f9f865a2dad9cdfdaf9b40a5ffdb2594417097dadff5f3faf82b5b35d5
Instruction ID: 680e9067a1ffc6d2166d7513cdf3ea56d4b76c702f22c50f9cc32483700a600d
Opcode Fuzzy Hash: e18cf3f9f865a2dad9cdfdaf9b40a5ffdb2594417097dadff5f3faf82b5b35d5
Instruction Fuzzy Hash: C1D05BB150031467DA209754AC0DFCB7A6CDB45710F0001917E5691091DEB4E945C790

Function 002A2CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A2CCB
PostMessageW.USER32(00000000), ref: 002A2CD2

Part of subcall function 0027F1A7: Sleep.KERNEL32 ref: 0027F21F

Strings

Shell_TrayWnd, xrefs: 002A2CC4

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 70bc7d03c3b9dc68aad390dea99fea6552943d950ad56665e21b5ec44a6d0d82
Instruction ID: bb2fe53799e2f634068017efcc362721dbe188c6fc8a65a5b39fb642caf45d24
Opcode Fuzzy Hash: 70bc7d03c3b9dc68aad390dea99fea6552943d950ad56665e21b5ec44a6d0d82
Instruction Fuzzy Hash: 93D0C9357D53506BF668B770ED4FFC66A54AB56B10F800816B24AAA1D0CDA468108A98

Function 002A2C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A2C8B
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A2C9E

Part of subcall function 0027F1A7: Sleep.KERNEL32 ref: 0027F21F

Strings

Shell_TrayWnd, xrefs: 002A2C84

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 130d72ac396eae90f25e9307ef6b1b7f7724f9bb185762dd24799512602f08e9
Instruction ID: 7f1cb5d92c94799cf82416fe1761a0b9f76960f46c2a45aa9454d59c4e8bfcd0
Opcode Fuzzy Hash: 130d72ac396eae90f25e9307ef6b1b7f7724f9bb185762dd24799512602f08e9
Instruction Fuzzy Hash: 55D0C9357E8350A7F668B770ED4FFD66A54AB51B10F400816B24AAA1D0CDA468108A98

Function 0024C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0024C233
GetLastError.KERNEL32 ref: 0024C241
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024C29C

Memory Dump Source

Source File: 00000001.00000002.2111532049.0000000000211000.00000020.00000001.01000000.00000005.sdmp, Offset: 00210000, based on PE: true

Associated: 00000001.00000002.2111508352.0000000000210000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002AD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111598202.00000000002D3000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111642997.00000000002DD000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2111666566.00000000002E5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_210000_AutoIt3.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c95561a0dd708fb06635df776a6cb20ad80158419f3ada8e338bf7b8a932b776
Instruction ID: dfe79985d95096db5ac3cae92d0a4dd4c9baaec9a3d203b69b63061f141bde23
Opcode Fuzzy Hash: c95561a0dd708fb06635df776a6cb20ad80158419f3ada8e338bf7b8a932b776
Instruction Fuzzy Hash: 0741F931621207AFCB69CFEDD844AAA7BA5EF41320F344169FC5A67191DBF08D21DB50

Source: AutoIt3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Rage.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Rage.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: AutoIt3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: Rage.exe, 00000000.00000002.2056097910.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000001.00000000.2055005198.00000000002E5000.00000002.00000001.01000000.00000005.sdmp, AutoIt3.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: AutoIt3.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: AutoIt3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Rage.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\435687634234262.exe

C:\ProgramData\wvtynvwe\AutoIt3.exe

C:\ProgramData\wvtynvwe\clxs.a3x

C:\ProgramData\wvtynvwe\wercejx.a3x

C:\ProgramData\wvtynvwe\werviuybe.erv

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Windows Analysis Report
Rage.exe

Function 004031CE Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 368
stringcomfileCOMMON

Function 00403792 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 0040626C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405B0A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004062DA Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405ADB Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405AB6 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004055AC Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405B53 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON